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This thesis distinguishes three methods of attacking 
internal protection mechanisms of computers: inadvertent 
disclosure, penetration, and subversion. Subdversion is snown 
to de the most attractive to the serious attacker. 
Subversion is characterized by three pnases of operations: 
the inserting Seed scOorS and Trojan horses,) “tre 
exercising of them, and the retrieval of the resultant 
Miemtmorized information. Insertion occurs over the entire 
lire cycle of the system from the svstem design pnase to the 
mpmemmetion phase. This thesis clarifies the high risk of 
using computer systems, particularly so-called “trusted” 
subsystems for the protection of sensitive information. This 
leads to a basis for countermeasures tased on the lifetime 
protection of security fTrelated system components combined 
with the application of adequate technolozy as exemplified 


mameeme security xernel concept. 
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IT. INTRODUCTION 


To use internal mechanisms within a computer system to 
mRotect sensitive information without demonstrable 
assurances as to the origins and effectiveness of the system 
components is contrary to a sound security practice. Use of 
allegedly “secure” or ‘trusted’ subsystems based on 
operating systems that are fundamentally unsecurable is 
Mmemewise unsound. Yet these two conditions can, and do, 
exist within the constraints of current ADP security policy 
and practice. As a result, supposely “secure” computer 
systems present a major risk of compromise for sensitive 
information. 

These conditiens can exist because there is a basic lack 
of understanding as to the possible vulnerabilities of 
computer systems. In particular, subversion is one area that 
is widely neglected. The subversion of a computer system is 
mee covert and methodical undermining of internal and 
external controls over a systems lifetime to allow 
unauthorized and undetected access to SyStem resources 
end/or information. 

This thesis details the methodologies involved in 
Subversion, and how they can be used to attack a computer 


system. It is essential that all personnel involved in ADP 


12 





Security understand subversion and how it works. Without 
this understanding, effective policies and countermeasures 
cannot be devised and implemented. 

The increased uSe of ‘off the shelf” ADP systems and 
programs can help realize significant economies in 
procurement costs, but there are significant dangers as 
well. These dangers come about because there is a pressing 
need for computer systems to ‘securely support multiple 
users of differing degrees of trustworthiness Simultaneously 
handling data of differing degrees of sensitivity’. This is 
known as the classical computer security problem [i]. It is 
a problem because no Known commercially available system can 
be proven to offer the secure Support required. 

Present technology such as that found in the Security 
Kernel [2] concept point the way to a solution to the 
momouver security problem. But no technology will assure 
secure computer systems unless proper safeguards are 
implemented to protect this technology from subversion. 

To understand what is involved in the subversion of 
computer systems one must first be aquainted with the 
background of the computer security problem (Chapter II}. 
The problem is not merely a historical one. There is 
currently no clear policy as to what role computer systems 
are to play in the protection of information. AS a result, 
systems are plagued with inadequate internal protection 


mechanisms whose effectiveness cannot be assured. Chapters 
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Tit and IV deal with how these inadequacies can be exploited 
through subversion. Finally Chapter V discusses how the risk 


of subversion can be minimized. 
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II. UNDERSTANDING THE COMPUTER SECURITY PROELEM 


The computer security problem has grown with the 
computer industry. When the entire system was dedicated to a 
Single user, protection consisted of the user Simply picking 
up his tapes and cards and clearing CPU core when the job 
was finished. Basically the user had complete control over 
his processing environment, including his data and programs. 
After a few years users began demanding better utilization 
of the resources. The response to this demand for more 
efficiency gave birth to multiplexing techniques, resource 
Sharing operating systems, multiprogramming and various 
other techniques of the age. The user suddenly found not 
only a lack of control over the procesSing environment but a 
lack of control over the protection of his data and programs 
as well. Cat [3] indicates: 

With the appearance of multiplexing techniques there arose 
the problem of defending independent software structures 
from each other, as these were often implemented on the 
same physical resource. Thus, multiprogramming operating 
systems enforce some sort Om isolation between 
Simultaneously executing processes. 

Since efficiency was the main consideration in computer 


systems design, criteria limited the “defending” and 


“isolation’ to the containment of accidents and errors [2]. 
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Organizations desiring to utilize the increased 
capacities of resource sharing systems demanded assurances 
that sensitive and nonsensitive information could be 
processed concurrently. Bisbey [25] comments: 

Responding to customer pressure, the systems manufacturers 
at first claimed that hardware and software mechanisms 
Supporting resource sharing would also (with perhaps minor 
alterations) provide sufficient protection and isolation 
to permit multiprogramming of sensitive and nonsensitive 
programs and data. 

This claim was soon discounted in the early 1970°s with 
meemintroduction of several penetration tiger teams that 
were specifically tasked to test the protection offered by 
several major operating systems. Even those systems that 
underwent retrofitting” to correct known implementation 
errors and design oversights were penetrated with only 
moderate amounts of energy [1]. Evidence as recent as 1978 
indicates that current operating Systems for which the major 
vendors have “conscientiously and competently attempted to 
improve security’ have been successfully penetrated [1]. 

menalivy, as a crowning blow to the state of current 
computer systems, a Consensus Report published in the 
proceedings of the 1979 National Computer Conference [1] 
states: 

It is a fact, demonstrable by any of several studies, that 
no existing commerically-produced computer system can be 
counted upon to protect any of its moderately knowledgable 


users from having complete and undetectable access to any 
information in the system, no matter what kinds of 





So~called security features or mechanisms have been built 
into the svstem. 


Harrison, Ruzzo, and Ullman in their paper “Protection 
in Operating Systems” [4] provide conclusive proof that 
there is no algorithm that can prove an arbitrary protection 
System (such as an operating syStem) safe. This means it 
cannot be proven that an arbitrary operating system can 
withhold unauthorized information from malicious users. This 
is because a system may not be (and usually is not) designed 
in a manner that its safety can be precisely determined. 
However, for a properly designed system the safety question 
could be decided. Eut, the constraints placed on these 
“model” systems are too severe to prove practical for the 
evaluation of current operating systems. In particular, 
systems designed using the security kernel technolcgy ([3] 
can be definitively evaluated for security. This technology 
will be briefly discussed in Chanter V. 

It has been said that understanding the computer 
security problem requires close attention to three subjects: 
policy, mechanisms, and assurance [1]. It is essential to 
understand all aspects of the problem. Therefore, a brief 


discussion of each area is offered. 


A. LACK OF COHERENT POLICY 


In general, a security policy defines what 1S meant by 


“secure’(5]. The sources of this policy are laws and 


IS 





regulations that outline how informaticn is to be handled. 
The computer industry in general, both users and vendors, 
have not reached a consensus as to what would constitute a 
coherent approach to computer security policy. The Consensus 
memort {1] indicates: 

This pasSive attitude on both sides tends to mask the 
general nature of the security problem because the more 
knowledgeable security users demand solutions to their 
unique problems, solutions that might not become standard 
parts of a product line. 

DOD fairs better in having a more specific policy as to 
the handling of sensitive information in general. This 
policy involves a non-discretionary (or mandatory) access 
control and within these contraints a discretionary control. 

When information is given a formal security 
emeassification, deat is forbidden without explicit 
administrative declassification or downgrading to allow 
someone to have access to information On higher 
Smessification than he is cleared for, i.e., the holder of 
Classified information has no discretionary authority in 
this respect concerning who he can share it with. This 
7 is an example of a mandatory access control policy 
fi] . 

Within the mandatory constraints there exists a 
discretionary DO 1416 ¥ that allows the creator of the 
mmeormation discretion over access to the information by 
other cleared personnel. This is the concept of “need to 
know’. A person must have the clearance (mandatory) and a 


need to know (discretionary) before access to information is 


pranted. 
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Hemever in the area of sé€nsitive informetion as it 
relates to the computer, guidelines, such as those outlined 
above, are less clear. Policy does not clearly discriminate 
between a computer providing only computation and one 
providing both computation and protection [6]. 

In a simple computation environment, protection or 
security is enforced by physical means external to the 
computer (fences, guards, etc.) as ina “dedicated” mode of 
operation. In this mode, all users allowed access to the 
system are cleared for the highest level of information 
contained in the system (i.e. it is dedicated to processing 
at a piven Security level). All users, equipment, and 
information reside within this protective boundary On 
“security perimeter’. Everything within the security 
perimeter is considered benign. The computer system is not 
expected to seriously “defend” information from any of its 
users because they are considered non-malicious by virtue of 
their security clearances. 

In the other environment (called the multilevel security 
mode) the computer not only provides computation but must 
internally provide mechanisms that distinguish levels of 
information and user authorization [6]. This is because not 
all users of the syStem are cleared for the highest level of 
information contained in the system. Here, the computer 
System must protect the information from the uncleared (and 


possibly malicious) user. In effect, the computer system 
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must become part of the security perimeter. The internal 
protection mechanisms (whatever they may be) must ‘assume 
the role” of the guards, fences, etc. that are indicitive of 
the external security perimeter. Policy (which defines what 
is meant by “secure”’) must be clearly translated into terms 
that can be implemented on a computer. Unless a specific 
policy is required to be implemented on a computer system in 
a VERIFIABLE manner, there would be no way one could 
determine if the computer system was EFFECTIVE in enforcing 


the given policy. 


F. INADEQUATE INTERNAL MECHANISMS 


The baseline documents within DOD for ADP security are 
DOD Directive 5202.28 “Security Requirements for ADP 
Systems’ [7] and its associated Manual DOD 5200.28M “The ADP 
Security Manual” [€]. The Directive states that “techniques 
and procedures which can be used to secure and evaluate 
resource~sharing ADP systems” are contained in the ADP 
security Manual. Therefore, rat is instructive to 
Specifically address the Manual. 

Since the central issue of a multilevel security system 
concerns the use of internal protection mechanisms to 
enforce protection of information, it is important to 


understand what these mecnanisms are. 


ie 





The following are selected excerpts from the Manual that 
illustrate the offically annunciated role of internal 


software mechanisms: 


4-3¢€0 General 


The user and master modes of ADP Systems operation shall 
be Separated so that a program operating in a uSer mode is 
prevented from performing control functions. 


4-321 O/S Controls 


The 0/S shall contain controls which provide the user with 
all material to which he is authorized access, >but no 
more. 


4-3@5 Other Fundamental Features 


eee Unauthorized attempts to change, circumvent, or 
otherwise violate these features should be detectable and 
reported.... In addition the incident shall be recorded in 
the audit log.... 


a. Memory/Storage protection - The operating system shall 
protect the security of the ADP system by controlling: 


1. Resource allocation (including primary and 
auxiliary memory); 


2. Memory access outside of asSigned areas; and 


S The execution of master (supervisory) mode 
instructions which could adversely affect the security 
of the O/S. 


>. eo @ 


c. Access Controls - Access to material stored within the 
ADP System shall be controlled by the ADP system security 
officer, ..., or by automatic processes operating under 
separate and specific controls within the 0/S established 
through hardware, software, and procedural safeguards 
approved by the ADP System security officer. 


du. eee 
e. e@¢e¢ 
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f. User identification - Where needed to assure control of 
access and individual accountability, each user or 


specific group of users shall be identified to the ADP 
SyStem by appropriate administrative or hardware/ software 
measures. Such identification measures must be in 
sufficient detail to enable the ADP system to provide the 
user only that material which he is authorized. 

These seem to be reasonable requirements to ask of a 
multilevel security system. The problem is that there is no 
way that these requirements can be proven effective. They 
can only be proven ineffective. This is evident in the ADP 
Security Manual’sS ad-hoc method of Security Testing and 
Evaluation (STS&E). An evaluation is defined in paragraph 


1-213 of the manual: 


The evaluator’s report to the Designated Approving 
Authority describing the investigative and test procedures 
used in the analysis of the ADP System security features 
with a description and results of tests used to support or 
refute specific SyStem weaknesses that would permit the 
acquisition Oe ele Diba Commcrdic cia ed ania Ge hid | = tacon 
secure or protected data files. 


Verification is defined in paragraph 1-225: 
The successful testing and documentation of actual on-line 
System penetration or attempts to penetrate the system in 
Pmpport or in contradiction of assumptions developed 
during system review and analysis which are to be included 
in the Evaluation report. 

The above methodology is fundamentally flawed. Recell 
from mathematics that it is sufficient to diSprove a 
proposition (e.g., that a system is secure) by showing only 
one example where the proposition is false (e.g., a 


success’ul penetration). It is not sufficient to prove the 


proposition by offering an example where the proposition 
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appears to hold (e.g., unsuccessful penetration attempt). 
The best position to take concerning these methods is stated 
by Schell [6]: 
Do not trust security to technology unless that technology 
is demonstrably trustworthy, and the absence of 
demonstrated compromise is NOT a demonstration of 
Security. 
It is imperative that any mechanism that will be 
required to aid in the securing of a computer system be 
Semenucted in such a way that it can, in fact, be verified 


effective. 


C. FALSS ASSURANCES 


False assurances concerning the reliability of computer 
systems PoummcrreG tively “protect “lturormation come about 
because people in positions of responsibility do not 
understand that a “technical computer security” problem 
ests. 

eeee -BOovernment agencies, as well as private industry, 

continue to issue purchase requests containing sections 
labeled “security requirements’, which are mostly lists of 
features and mechanisms, in the apparent belief they will 
obtain something useful [1]. 

The previous section’s discussion on policy illustrated 
how the reliance on ‘features and mechanisms” without 


demanding demonstrable effectiveness can lead to false 


moourances. 
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No self respecting computer system salesman is going to 
admit that his products cannot provide the effective 
protection that an application demands. No malicuous intent 
is implied by this statement, but the salesman is no more 
ewere of the true nature of the computer security problem 
than the customer who unknowingly demands the ineffective 
“features and mechanisms” in a procurement specification. 
The Consensus Report [1] demonstrates this lack of 
understanding: 

oeeeeeven if government procurement specifications were 
tightened to ask for the kind of security we believe 
possible with the current state of the art, fewer than 
fifty people in the country would understand the true 
implications of what is being asked for, and those fifty 
are concentrated in less than a half-dozen organizations, 
none of them in the main stream development organizations 
of the major mainframe vendors. This is partly because at 
the moment most efforts of vendors relating to security 
are concentrating on the “mechanisms” part of the Security 


problem, with very little attention to the “assurance” 
part . 


1. Reliance on “Trusted” Subsystems 


A subsystem can be viewed as any computing 
environment that restricts the users functions to a subset 
of the host computer’s functional capabilities. An example 
of this is a transaction data management system. The user is 
bound toa restricted ‘menu’ of functions that allow him to 
carry out only his required tasks. For instance, a data 
entry clerk in such a subsystem has no need to write 


programs, so this capability is not part of the clerk’s 
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menu. The general feeling about subsystems is that by 
restricting the users capabilities, he will be denyed the 
“tools” he needs to perform malicious activities. 

Alleged “secure~ or “trusted” subsystems are 
presently being developed within DOD as a means of coping 
With the computer security problem: 


Given an untrusted operating system, this approach employs 
the use of a trusted transaction data management system or 


Geers trusted special-purpose subsystem in concert with 
mactlity and procedural constraints that limit the 
population of users to the trusted subsystem. (Only 
trusted users are allowed access to any parts of the 
system outside of the trusted subsystem.) This solution 
combines trusted software (but not the operating system 
itself) and trusted procedures, and is an expedient until 
completely trusted operating systems are more widely 
available. Secure subsystems development for the DOD in 
mo transactions applicationss, is currently underway 
i}. 

Unfortunately one cannot exclude the operating 
system from the “solution” as proposed in the above. All 
subsystems are “built” upon an underlying operating system. 
The operating system must therefore be considered as an 
integral part of the trusted subsystem. 

Ample discussion has already been offered as to the 
unreliability of current operating systems. A subsystem, 
when viewed from the aspect of the underlying operating 
system, is nothing more than another application program. If 
there are exploitable flaws in the underlying operating 
System that can be used to exploit the system without the 


subsystem, then these same flaws can be used to exploit it 





with the subsystem. Chapter IV demonstrates how this can de 
done. Reliance must not be put on a “trusted” subsystem 
Meess the foundation on which it is built is solid and 


Peaotworthy. 


Eee Lifetime Protection 


There iS no explicit Security Testing and Evaluation 
(ST&E) criteria in DOD guidlines that takes into account the 
history of system components. Using computer systems with 
uncertifiable backgrounds, Peet ee Mec; in multilevel 
security mode applications, can prove particularly 
disasterous. The main thrust of this thesis iS concerned 
with just such issues. The lifetime of a computer system is 
not just the operational lifetime, i.e., when it comes under 
Meemecontrol of an ADP security officer, but is from 
“conception until death’. This includes the design, 
momementation, distribution, installation, and production 
phases of a computer system. 
mieeis Ot sufficient to Know that a given computer 
system and its associated software are standard ‘off the 
shelf” versions of company XY2’s product line. Without 
specific assurances concerning the protective measures that 
have been afforded system components or the trustworthiness 
of development versonnel, there is no way that an effective 
evaluation can occur. If at Some time prior to the user 


Paine control of a system, malicious elements have access 


24. 





to system components, it would be virtually impossible to 
determine what modifications to invalidate security controls 
were made. This lack of protection is one of the fundamental 
reasons why the subversion of computer sSyStemS can be $0 
pmmectu.ve. Later chapters will amplify this concept. 

It has been proposed [1,9] that current operating 
systems be evaluated as to their security attributes. The 
result of this evaluation would yield an “approved products 
list’. The resulting “grade” that a system would receive 
would supposedly determine its relative ability to protect 
information. There is a problem in that this criteria does 
femeesuustantivally address whether or not the security 
related components (hardware and software) have received the 
proper lifetime protection from malicious elements. Unless 
this vital factor has been taken into account, any “approved 


products list” would prove meaningless. 


DeecHAPTER SUMMARY 


It has been the purpose of this chapter to a@quaint the 
reader with the background of the computer security problem. 
This problem has been aggravated by a general lack of 
understanding as to the true nature of the computer security 
problem by those responsible for its solution. This has led 
to a reliance on inadequate internal mechanisms, and false 


assurances aS to their effectivenss. It is important to 





understand this background because it serves as a backdrop 
with which to view the subject of computer Subversion, the 


uence: pal topic of this thesis. 
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TTI. METHODS OF ATTACKING INTERNAL SYSTEM CONTROLS 


There are three methods of attacking internal system 
controls in computers. They are are by inadvertent 
disclosure, penetration, and subversion. Each method is 
briefly discussed. Later chapters will develop the details 
involved in penetration and subversion. Distinctions are 
made between the currént concept of penetration and the 


concept of sutversion. 


A. INADVERTENT DISCLOSTIRE 


Inadvertent or accidental disclosures are basically 
Smead bilistic in rature. They may involve a corbiration of 
human, hardware, and timing factors that when combined could 
allow a disclosure of information to an unauthorized user. 
Simple examples of this method are a computer operator 
inadvertently mounting the wrong tape, or the hardware 
faryiuvre of memory bounds checking mechanisms. Users 
receiving information from this kind of disclosure are often 
victims of circumstances and may not be malicious in their 
intent. Eowever, even though the success of this method 
meee s On probabilistic events that one cannot control, it 


can be utilized by the determined attacker. 





The basic approach used by an attacker in this method is 
to sit and wait for the proper set of circumstances to 
Occur. Upon detection of a breach in the protection 
mechanism, the attacker would take appropriate actions to 
exploit the breach. 

This method was addressed in the Multics Security 
Evaluation [12]. A program called the ‘subverter” was 
written to run in the background of an unprivilered 
Darperactive process. Once each minute the subverter program 
received a timer interrupt and performed one test from a 
proup of functions that would Sample the inteerity of the 
security sensitive hardware. These tests included: 

fm lestine master mode instructions. 

2. Attempting to violate read and write permission on 

segment access control lists. 

meetesting of all instructions marked illegal. 

4. Taking out~of-bounds faults on zero length segments. 

Methods Similar to those above could prove profitable to 
Gemaricious user, particularly if the system under attack 
had a history of questionable hardware reliability. Although 
mos mMetnod is a viable attack method, other methods will be 
discussed that do not rely on these probatilistic 


circumstances. 
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EB. PENETRATION 


There are three major characteristics to penetration: 

1. The penetrator is deliberate in his attempts. 

2. The penetrator uses system foibles to circumvent 

system controls. 

5.- The methods are repeatable under the control of the 

penetrator. 

It is important to realize that the penetrator is 
deliberate in his attempts. This is because it introduces a 
class of “user” that contemporary computer system designers 
had not seriously considered. Designs reflect that the 
Systems are expected to operate in a ‘benign environment’ 
wnere violations of the system controls are presumed to de 
accidential [2]. Because Systems are presumed to be in a 
benign environment, the attacker does not have to exert much 
effort in his penetration attempts. 

mae second characteristic involves the utilization of 
system “foibles”. Lackey [11] defines the term: 

A foible is an accidental or unintentional opening that 
memmits Unauthorized control of the system or unauthorized 
access to information. It can occur in either hardware or 
software, but software penetrations are more common. A 
system programmer may inadvertently allow an obscure 
moma tion to occur for which no check iS made, or accept 
parameters without adequate checking. Often the programs 


pass accentance tests that don’t expose these anomalies, 
and the program will work properly when used as intended. 
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Foibles that can be used by a penetrator to circumvent 
system controls come about because most computer desiens for 
both software and hardware consider efficiency and 
Bomvyentence as primary factors rather than security. 

The method is repeatavle because the foible is a part of 
the system design or implementation. The penetrator can use 


it as though it were a “special feature’ of the system. 
imeenetration Environment 


The penetrator carries out his malicious activities 
by using the computing (or rather the penetration) 
environment “as is’. That is, he is content to exploit the 
system using those foibles that the designers and 
implementors inadvertently provided. But since deliberate 
penetration utilizes System weaknesses or foibles, the 
penetrator may have his “access” routes cut off if the 
fallibility is discovered by a legitimate user or system 
maintenance personnel. Fowever as indicated by Lackey, since 
the error was not detected during testing and the system 
works properly when used properly, this appears to be an 
effective method for gaining unauthorized information. 

This is supported by reviewing the literature 
concerning computer crimes. Many of the criminals were not 
caught by the discovery of thelr penetration method or even 
in the actual act, but by Some foolish action on the part of 


the criminal after the fact (e.2g., high living on embezzled 
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funds). Only through subsequent investigations ¢id the 
foibles become known to the victims. 

But this Cnvironment, dalthoneh lucrative, is not 
under the ‘control’ of the penetrator. Foibles could be 
Seeeeovered and corrected or procedural deficiencies revised. 
The determined penetrator would undoubtedly desire an 
environment that is more under his control and not as 
susceptable to change and possible detection by external 


forces. 
2. The Penetretor 


Current conceptions of computer system penetrators as 
Zlamorized by the né€wepapers and other popular literature 
would have one believe the the penetrator isa highly 
technical individual such aS a programmer or computer 
memmentist. This is a misconception. Several studies have 
Shown that the a more accurate conception of the average 
penetrator is that: 

1. He possesses only a limited technical knowlecge of 
the computer system [12]. 
2. He is a “white collar amateur’ [13]. 
3. Ke is a user of the system, not the professional that 
supports the system [12]. 
4. He lacks the ability to think bie [14]. 

But all these conceptions of the known penetrator 


reflect the same thing: that these conclusions are based on 





on the amateur that got caught. They say nothing about the 
malicious elements that were sophisticated enough to avoid 
detection. It is this group that poses the preatest danger 
to the security of computer systems. What is the nature of 
the penetrator that was not caught, and how might he proceed 
in his malicious endeavors? It is imperative that these 


questions be addressed. 


C. SUBVERSION 


Recall from chapter I that subversion of a computer 
system involves the covert and methodical undermining of 
internal and external computer system controls to allow 
unauthorized and undetected access to computer System 
mesources and/or information. SB3ut to understand the real 
mmopications of this definition, further amplification is 
Feguired. 

Subversion is characterized by the following: 
——memecan occur at any time in the life cycle of a 
computer system. 

Eee oit)6©6iSl|6l OUunder~§6 the control of highly Skilled 
individuals. 

mee it utilizes clandestine mechanisms called™artifices 
deliberately constructed and inserted into a computer 
system to circumvent normal control or protection 


features. 





Each of these characteristics will be introduced in the 


following sections. The detailed methoeologies of subversion 


meemarscussed in the next chapter. 
1. Subversion Over a System Life Cycle 


Subversion is not limited to on-site operations, as 
in the case of deliberate penetration. tet includes 
activities that spread over the entire life cycle of a 
computer system. This life cycle includes several phases; 

1. Design~ The beginnings of a System. All key decisions 
concerning the software and hardware specifications are 
made during this phase. 

2. Implementation~ The conversion of the deSign into a 
usable product. This includes manufacturing and testing 
of hardware components, and the coding and testing of 
software components. 

SO. Distribution~ After all system components have been 
meoauced and tested, they are distributed to the various 
operational sites. 

4. Installation- Upon receipt of new SyStem components, 
these components must be installed and made operational. 
These components might be new software on old equipment, 
or old software on new equipment, or any combination of 
the above. 

5S. Production~ This is the operational phase of the 


Gomputer system and is the phase that has traditionally 





received the most security eousiderations-=. \.his 
consideration is because of the presence On the 
sensitive intonation that \se the= ob ject meer tie 
Subverters efforts. 

The legitimate activities that are carried on during 
the various life cycle phases offer ample opportunities for 
the subdverter to undermine system components. The activities 
in the first four phases are basically not sensitive in 
meemre and are carried out at relatively open facilities. 
Meererore, the subverter would have little difficulty in 
Subvertinege the system components under development. Later in 
the production phase, these same components would be 
involved in the protection of information. Ey this phase the 
subverter would have an “environment” purposefully 
constructed for the unauthorized and undetected exploitation 
Semeoesystem and the information it contains. The next 
Smepter will outline possible activities that can be carried 


On by a subverter during each of these life cycle phases. 


Beeoekilis Required 


The subverter, unlike the penetrator, is not an 
amateur. To be able to carry out subversive operations, the 
subverter must understand the activities that are performed 
during the various phases of a computer system's life cycle. 
But none of these activities are beyond the skill range of 


the average undergraduate computer science major. [In fact, 
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much of the activity involved with subversion can be carried 
Ouro y “individuals of much less technical Kiow.eare . 
Sutversion can be particularly effective as an organized 
Bmore. that need only be CONTROLLED by the technically 
qualified. 

The subverter, unlike the penetrator, does not lack 
Giewapatity to think big. Fe can utilize a diverse group of 
individuals that mav or may not be aware of the subversive 
activities they are performing. One need only imagine the 
vast number of people that will have access to the various 
computer system components prior to their being delivered to 


mmemecemtroi of an unsuspecting ADP security officer. 
Semene Artifice 


fee  subverter could, and undoubtedly would, use 
various methods to circumvent the control features of a 
computer syStem, including the foible that is indicitive of 
the penetrators environment. But the subverter is concerned 
with the long term return or his subversive efforts. To rely 
on a design oversight or an implementation flaw thet might 
be eventually corrected would not be a sound “business” 
practice. Rather the subverter constructs his own mechanisms 
that are inserted into the hardware or software during one 
of the various phases of a computer systems life cycle. Any 
Clandestine mechanism that is used in subversion is called 


an ‘artifice’ [11]. These mechanisms can be implemented in 
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either hardware or software. The most common forms of 
artifices are known as trap doors and Trojan horses. A 
hardware artifice is a particular instance of a trap door. 
a. Trap Doors 
men keyvecharacteristics of 4 trap door are: 

meet is exercised under the direct control of an 

@etivation stimulus. 

meeee.t circumvents the normal control features of a 

system. 

As the name implies, trap doors have a means of 
activation (like the latch on a door). This activation key 
memunaer the direct control of the attacker. A Simple 
example of an activation key is a special sequence of 
characters that is typed into a terminal. A software trap 
door program, imbedded in the overating system code, can 
recognize this key and allow the user of the terminal 
special privledges. This is done by the software 
circumventing the normal control features of the system. It 
is important to realize that the only purpose of a trap door 
is to “bypass” internal controls. It is up to the attacker 
Pomaetermine how this circumvention of control can be 
ieetized. 

The attacker can construct the trap door in such 
@ manner as to make it virtually undetectable to even 
Suspecting investigators. A penetration tiger team, 


@eeanized by thetAir Force to test the security features of 
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a computer manufacturers operating system, installed a small 
trap door that was so undetectable that the manufacturers 
personnel could not find the clandestine code, even when 
they were told it existed and how it worked [6]. 
De trojan Horses 
~LOnemienorse ls different from a ttap, door in 
Several ways. Whereas the trap door is generally constructed 
to circumvent necrmal system controls, the Trojan horse can 
accomplish its malicious tasks without circumventing these 
Controls. Trojan horses are artifices, generally programs, 
that have two functions: 
fen overt function—- This function serves as a lure to 
attract the program into use by an unsuspecting user. 
Sec overt function=- This function performs clandestine 
memavities unknown to the user of the Trojan herse. 

The overt or “lure” function of a Trojan horse 
can, for example, be mathematical library froutires, word 
processing programs, compilers or any program that might te 
widely used at an installation. Because these programs are 
executing on behalf of the user they assume all access 
privileges that the user has. This allows the covert 
function access to any information that is availatle to the 
user. 

The covert function iS exercised concurrently 
with the lure function. An example of this kind of artifice 


might be a text editor program that legitimately performs 
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editing functions for the unsuspecting user while browsing 
through his directories looking for interesting files to 
copy. This is a particularly effective option for the 
attacker due to the fact that as far as any internal 
protection mechanism of the computer system is concerned 
there is mo “illegal” actions in progress. The Trojan horse 
(e.g., text editor) is simply a user program, executing in 
user address Space, accessing user files, performing 
perfectly legitimate system service requests such as giving 


another user (e.g., the Subverter) a copy of his files. 


Peon APTER SUMMARY 


This chapter has offered a brief diScusSsion of the three 
methods that can be used to attack a computer system. They 
are: indadvertant disclosure, penetration, Subversion. There 
have veen important distinctions made between the present 
conception of the Known penetrator and his methods, and that 
of the subverter and his methods. The known penetrator is 
Basically an amateur that is content to operate within the 
computing environment as TLS CMilotS.ae he pene traitors 
environment is one made Of unintentional imperfections that 
can be used to exploit a system. The subdverter, on the other 
hand, is a professional that actively constructs his 
subversion environment by the methodical undermining of a 


Bemputer system throughout its life cycle by the use of 
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artifices. The next chapter will discuss in greater detail 


the methodologies of this subversion. 





IV. METHODOLOGIES OF SUBVERSION 


poe reiterate the definition of Subversion, it is the 
covert and methodical undermining of internal and external 
Security controls over a computer syStems lifetime to allow 
unauthorized and undetected access to system resources 
and/or information. This chapter describes the methodologies 
involved in subversion. 

weuercas been the purpose of the previous chapters to “set 
the stage” for the discussion that follows. It is obvious 
that there is not a clear understanding in the computer 
security arena as to exactly what should be done to insure 
that computer systems can reliably protect information. As 
meme as this confusion persists subdversion will te a threat 
to the security of computerized information. It should be 
kept in mind that those who might te involved in sutversive 
activities would not be confused as to what their goals are 


or how they would accomplish them. 


A. GENERAL CONSIDERATIONS 
f 


The majority of this chapter iS concerned with the 
activities that an subverter might consider as ‘field 
Operations . These operations involve activities that are 


required to insert artifices, exercise them, and retrieve 
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meee resultant information. But there are several reneral 


considerations that should be kept in mind when reading 
about the various phases of subversion. Principal among 
these is that any reference to the subverter iS meant as a 
reference to the subversive organization. Individuals who 
might perform subversive acts would do $o with the euidance 
of all the expertise that might be available in this 


organization. 
1. Safe Computing Sites 


Like any effective field operation, the subverter 
needs to insure that any techniques and mechanisms used in 
the field have been perfected at a safe computing site. This 
might seem difficult if a new system is the subversive 
target. However, there are machines available today that are 
micro~programmable emulators such as the Burroughs D Machine 
or the Nondata OM—1. A Feasibility Study [15] has 
demonstrated that a very sophiphisticated, large scale 
computer system (Multics) could be emulated on such a 
device. Because these machines are micro-programmable, one 
machine can be used to support several field operations. 

Once a basic architecture is emulated, existing 
operating systems and subsystems could be installed. These 
Systems could then be analyzed for exploitable foibles, and 
artifices could be designed and tested. The basic algorithms 


for software artifices can be refined in a safe atmosphere 
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to insure that there are no unwanted side effects. Sound 
software engineering practices would be employed to analyze 


the best approach to the subversion process. 
2. Scope of Operations 


The Scope of subversion iS completely under the 
Control of the subverter. It can be as focused as one 
computing Ste or as widespread as several hundred 
installations, all with roughly the same expenditure of 
effort. This is accomplished by selecting the phase of a 
computer systems life cycle in which to Start Subversion 
operations (1@]. The earlier in the life cycle a system has 
been subverted, the more global the opportunities for 
exploitation. 

By installing artifices at the beginning phases of the 
life cycle (design or implementation) they will then become 
an integral part of the computer system. Anyone who 
subsequently procures one of these systems will become a 
potential target for exploitation. Identification of the 
Victims need not occur until later. Should the subverter not 
have the opportunity to begin his operations in these first 
life cycle phases, he would have ample opportunities in the 
later phases. 

The Ssubverter can narrow the scope of hisS operations ty 
performing his malicious activities during the distribution 


of system components to the selected sites. He can select 
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which sites are the most profitable and then intercept 

aeorem Components as necessary to accomplish his. goals. 
Finally, by initiating subversion operations during the 

installation or production phase of a computer system, he 


Meeeracts his activities to that particular site. 
eeevesirable Traits in Artifices 


The following discussion will center on the three 
mepor types of artifices; software trap doors, Trojan 
horses, and hardware mechanisms. Not only are the delow 
listed traits desirable, but they are qualities that can be 
easily incorporated into artifice construction. 

ee cOltWare Trap Doors 

Recall that sthesnrinei pal wfunetion of autrap door 
fmmero circumvent internal system controls under the controi 
Sean activation key. With this in mind, the following are 
several desirable traits that Ene subverter would 
mecorporate in the implementation of this type of artifice. 

(1) Compactness. To give the user of the trap 
door unauthorized privileges may involve only enoveh code to 
recognize the activation trigger and the one or two 
instructions fequired to change the machine state to master 
mame. The fewer the instructions the better. Once this is 
accomplished, other programs can be invoked to perform the 


desired clandestine activities. 
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(2) Revision independence. To insure that a trap 
door remains in the system for years, perhaps its entire 
life, it is necessary to install it in an area of code that 
will not be liable to revision. Operating system software, 
as pointed out earlier, is often riddled with design errors 
or subject to planned changes. Placement of the trap door 
Should be in an area that is not likely to undergo review. 
For example, I/0 routines that are used to control hardware 
devices are not generally changed in software revisions. 
These are generally written in lower level languages for 
efficiency and offer an excellent ‘refuge’ for artifices. 

(3) Installation independence. Many ‘off the 
shelf” general purpose computer systems come with a wide 
range of options. But for a given family of systems, there 
is usually a “core” operating system that will be common to 
any installation within the system family. By installing the 
trap door in this “core” of code the subverter is assured 
that his artifice will be present in the system regardless 
of the particular configuration that would be generated at 
the installation. 

(4) Untracable. The operation of the trap door 
Should not in itself leave any trace of its operation. This 
implies that either its operation does not encounter system 
traps or audit trails, or it has the ability to erase any 
evidence of its activities. Frequently, the verv ‘primitive’ 


Or basic functions of an operating system, such as 4 
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teletype stream handler, are at too low a level to be 
audited ir system logs. These routines are also relatively 
‘stable’ in that they are generally not subject to frequent 
revision. 

(5) Uniquely Triggerable. The means by which the 
trap door is activated should be unique enough to insure 
tat accidental activation is unlikely. One example is a 
trap door that is triggered by a unique sequence of 
characters in a teletype stream. Too short a sequence or too 
common a sequence might accidentally activate the artifice 
by someone other than the subverter or his agent. On the 
other hand, to long a sequence might require to much code to 
check against and make the trap door code too long. 

(6) Adaptibility. The trap door should have a 
degree of generality or even programability. Since the trap 
door might have been installed during the early phases of 
the systems life cycle, the Subverter cannot always predict 
Meee particularities of the installation or application. for 
mmetance, Since trap doors circumvent normal controls, it 
could be designed to modify operating system code online. By 
circumventing the write protection of the operating System 
code area the trap aoor can allow the subverter to adapt the 
operating system to his needs. 

db. Trojan Horses 
As previously stated, a Trojan horse is a program 


that is invoked by an unsuspecting user. It will perform a 
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legitimate function (the lure) and a covert function. The 
following are a few desirable traits for this artifice. 

(1) Directed Lure. The lure (or overt) function 
of the Trojan horse will determine what kind of information 
mmeeecome under the scrutinization of the covert function. 
foeeetne desired information is scientific in nature then it 
might seem plausible to construct a Trojan horse that offers 
a lure of some sort of mathematical computation. if 
personnel records are the target then the lure might be a 
sort routine. It should be noted that the information 
available to the Trojan horse is any information that would 
be normally be available to the unsuspecting user. Not just 
meemeenr Ormation needed to perform the lure function. This is 
because most operating systems consider any program executed 
by a user to be “owned” by that user for the duration of the 
mee@eran e€xe€cution. Any access rights that the user might 
have are imparted to programs run on his behalf. 

(2) Compatibility of Functions. The covert and 
overt functions of a Trojan horse should perform “expected” 
memmons. It is not expected that a mathematicel litrary 
routine would access the users file space (e.g., the covert 
function browsing through files) when it is coOmputing the 
roots of a polynomial. System audit logs may record this 
activity and Suspicions be aroused. This could be 
disasterous if the covert function was to inadvertently 


cause the user process to be interrupted by a disk error. 
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memewecr it is expected that a sort file routine will access 
the users file space. Subsequent disk errors might be 
overlooked aS merely a fluke. This can be viewed aS way to 
“functionally disguise” the Trojan horse. 
c. Hardware Mechanisms 

A Hardware mechanism is a special instance of a 
trap door. It performs the same function of circumventing 
normal system controls as its software counterpart. Its 
capabilities and traits are essentially the same. The method 
of metivation may vary due to the unique hardware 
capabilities such as the ability to transceive radio 
Signals. There are two cases of hardware mechanisms, 
programmable and non-programmable. Examples of each of these 


types are presented later in the chapter. 
4. Obdscuring Artifices 


Proper obscuring can make artifices Vite 
undetectable. One must realize that once code or hardware is 
Operational in a computer system there would be no reason to 
review it unless something failed. Think of how hard it is 
to find a difficult bug that is being purposefully searched 
for in a program. One can imagine how difficult a small trap 
door would be to find if the author of the trap door takes 
Special pains to obscure it. Furthermore, even if found, the 
well-designed artifice will appear to be juSt another bug. 


Obscurineg artifices is considered ecsential to the 


47 





subversion process. Obscuring techniques are limited only by 
the ability and understanding of the subdverter installine 
mremartifice., 

Listed below are a few techniques that the subverter 
meent use in this process. 

a. Modifying Object code 

Binary machine code is the most obscure medium in 
Maem a software artifice can reside. The Multics Security 
Evaluation (12) amplifies this point: 
Clearly when a trap door is inserted, it must te well 
hidden to avoid detection by system maintenance personnel. 
Trap doors can best be hidden in changes to the binary 
moae of a compiled routine. Such @ change is compietely 
invisible on system listings and can be detected only by 
comparing bit by bit the object code and the compiler 
mrsting. 

Disadvantages of this obscuring method come abcut 
because object modules may be periodically recompiled for 
various reasons [10]. This, of course, may not te under the 
control of the subverter and methods must be devised to 
insure periodic reinsertion. It has been informally reported 
(1@) that a compiler could be “enhanced” to alwayS reinsert 
mmmearti¢fice in the object code when a perticular system 
module was fYrecompiled. Compilers themselves are rarely 
Becompiled by the user. So the clandestine code that was 
fees ted in the compiler would be quite safe. 


Spocurine in cbjvect code is particularly suited for 


Trojan horses. Software that is procured from vendors as 
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“off the shelf’ computing aids often do not provide source 
code listings. This is to protect proprietary rights. The 
Subverter (perhaps a legitimate vendor) can uSe this fact to 
his mevantage. He Could» offer “sottware products to 
unsuspecting computer installations much as any other 
software vendor might. In fact, the subdverter could 
anticipate the installations needs if he had agents on the 
Meemises that knew the particular situation. Since the 
Subverter is not primarily in the business of making money 
by selling software, he can undercut competitive bids. 
Detection risks for this obscuring method are 
Semorvcered relatively low. Even if the Trojan horse were to 
malfunction and lead system maintenance personnel to suspect 
it OT ‘performing Strangley’, without SOuUrce Prcode 
documentation the first order of business would be to 
Gomutact the vendor for another copy of the proerar. 
db. Abusing of Software tmngineering Practices 
When uSing source code as a means of inSerting 
artifices, means must be devised to obscure the true purpose 
of the clandestine code. Frogram documentation could prove 
invaluable in this effort. Good program documentation is 
essential to the understanding of complex programs such as 
operating syStem software. Most higher level languages allow 
variable names of ample length. Yet many programmers are 
Semtent to follow archaic FORTRAN on assembler-like 


Bractices that tend toward short, abreviated variable names 
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that have meaning only to the programmer at the time he 
wrote the code. Inadequate commenting of source code is 
another common abuse. 

Writing programs that are else UE Wi Slo! oT 
non~modular in organization can prove quite effective for 
obscuring. This iS cormonly refered to as “Spaghetti bdcwl’ 
logic. By using non-local ‘goto’ statements that seem to 
jump around the program arbitrarily, it is Virtua by 
impossible to follow the program logic. 

Allegedly ‘good’ documentation practices can 
also be utilized in the obscuring process. This technique 
can Simply be labeled as lying. Plenty of apparently good 
comments can lure the reader away from scrutinizing the code 
too closely. Mislabeled variables can also steer the reader 
meet rom the actual purpose of the clandestine code. 

The use of source code as a mean of inserting 
artifices has the dual diStinction of offering the sutverter 
the greatest returns e@s well as the greatest risk of 
detection. Source code artifices will not be destroyed by 
recompilation of the code as some other methods of 
insertion. However because it is in human readable form, 
artifices are more visible and therefore more vulnerable to 


possible detection [10]. 
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c. Using Assembler languages 
Most assembler language traits both good and bad 

are benifical from the subversion standpoint.’ Some of these 
teeats are: 

1. Most “powerful” language available. 

“ae Most efricirent io execution time and core 

requirements. 

5. Least comprehensible of all the human interpretable 

computer languages. 

Assembler languages are the most ‘powerful’ 

Meeauce they allow greater control over the programming 
environment than any other language. Assembler languages are 
not constrained to the addressing restrictions thet are 
imposed by the structured environments of the higher level 
languages. There is no distinction between data and code 
areas. This allows the subverter to either write self 
modifying code One OUS CUTE seGbhandes tine wecodemas “data. 
Assembler programs are noted for their “spagetti bcwl’” logic 
because it is difficult to write assembler programs that do 
memuse goto statements. Since goto statements are expected 
in assembler code, it is easy for a sutverter to write a 
program that has a egoto Statement whose operand isa 
variable label rather than 4 statement label. The variable 
label could define the begining of a series of hexadecimal ° 
or binary constants that are nothing more than the 


equivilent binary opcodes of the clandestine routine. Close 
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Semeviny iS rarely given to these “tables” of constants, 
particularly if the program is functioning properly. 

AsSembler language source code iS aSSembled to 
machine code instructions on an almost one-to-one basis. 
Therefore the sSubverter can exactly predict the amount of 
“overhead” the artifice will impart to the subverted system. 

d. Strategic Placement 

Ovscuring software artifices, particularly trap 
doors can be greatly enhanced by strategically placing the 
clandestine code away from areas that might be svbtject to 
investigation. For example, consider a trap door that is 
triggered by an activation key from a teletype. Perhaps 
security investigators suspect that a trap door exists and 
that it iS activated by a teletype stream. Naturally the 
investigation would inspect all code that handles the 
teletype stream. The Subverter can foil these efforts by 
mememne the trap door in an area totally unrelated to the 
teletype routines, such as the disk I/O driver. Since the 
mee door resides in a routine that executes in the master 
mode, addressing restrictions do not apply, and the teletype 
buffer iS addressable from the trap door’s vantage point. 

The subverter can either wait for normal disk 
uSeage or execute a “do nothing” program that uses the disk. 
This will insure that the trap door that resides in the disx 
driver routine will be exercised at the Same time the 


activiation key is present in the teletype buffer drea. Upon 
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recognizing the activation key the trap door will perform 
the necessary task required to circumvent the normal 
@ontrols. 
e. Using Confinement Channels 

Confinement channel is the general term applied 
to information paths that can exist between a program 
(called a service) and its owner. The information is gained 
when another program (called a customer) invokes the service 
and the service Subsequently extracts unauthorized 
information from the customer and passes it to the owner of 
the service [16]. 

Much Or the computer security evaluation 
criteria [8] mentioned in Chapter II is concerned with what 
memeecalied the Simple Security condition. This condition 
states that a subject (user or his program) cannot have read 
access to objects for which he is not cleared. Confinerent 
channels generally meet this condition. However they do not 
meet what iS called the confinement proverty (also known as 
the *-property). The confinement property states that if one 
program has read access to data at one Security level it 
cannot have write access to another file at a lower security 
leve] (21}]. Thus the program is ‘confined’ to not, in effect 
“declassify’ information, but it is confined to write into a 
file of the same security level or higher. 

Most systems do not even consider the issues of 


confinement. If an artifice was to introduce such a Channel 
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it would probably not be recognized for what it was. One 
type of this channel is sometimes called a covert channel. 
This channel is called covert because the method by which 
Mressintormation is passed is particularly difficult to 
detect. An example is offered by Denning [14]: 
Smemtype of flow cannot be controlled easily, if at all. A 
program can convey information to an observer by encoding 
it into some physical phenomenon without Storing it into 
the memory of the computer. These are called flows on 
covert channels... A simple covert Channel is the running 
time of a program. 

Because these channels for information flow are 
not the ‘normal’ paths that information are thought to flow 
on (i.e., variable parameters, files and other ‘storage 
channels’) they are easily cverlooked by investigatcrs. In 
the simple example above Denning [14] explains how the 
running time of the program can be used to ccenvey 
information: 

A program might read a confidental value, then enter a 
loop that repeatedly subtracts 1 from the value until it 
reaches zero. The owner can determine the confidental 
value by Simply obdServing the running time. 
Confinement channels will be discussed again in later 
sections of the chapter. 
f. Hardware ObScuring 

Today integrated circuit technology offers a near 

perfect medium in which to obdsScure hardware mechanisms. 


Equipments that have medium scale integration (MSI) chips 


can be replaced with enhanced large scale integration (ISI) 
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chips. The enhanced chips would perform the required 
functions of the original chips, but also perform functions 
under the control of the subverter. Detection of these 
devices, once installed in target equipment is virtually 
impossible, since the subverter would undoubtedly insvre 
that all external appearances such as physical appearance, 
logical operation, power comsSumption, etc., would be the 
same. There is no non-destructive way to thoroughly examine 


these devices. 


Bee o@RTING ARTIFICES OVER THE LIFE CYCLE 
OF A COMPUTER SYSTEM 

The subverter by inserting artifices into @ computer 
system is, in effect, “creating” a subversion environment on 
the targeted computer system. He iS inSerting the ‘tools’ 
which he will use to undermine the security of a computer 
System. Once this security is subverted, he can then extract 
the information he desires. But the timeframe between when 
the artifice is inserted and when information is retrieved 
may be years. 

Fe can be very successful in his insertion efforts 
because the places in which the subversion occurs, are 
relatively open environments that are not hardened against 
his efforts. This is because there mayte no classified 
operations being conducted at many of the places the 


Subversion occurs. 


2 





There iS an interesting property in the insertion 
activity that differs from most other forms of criminal 
activity. The subverter is not removing or stealing anything 
from the premiseS, on the contrary, he iS introducing ’a 


little something extra’, 
1. Design Phase 


mie subversion of a computer system design i¢ a 
Subtle process. AS in any deSign process there are hundreds 
of alternatives to consider. Among the many choices on any 
mee 6 1SSsue, several may prove acceptable. It is the job of 
the subverter to be the ‘standard tearer’ of those 
alternatives that will aid him in his subversion efforts. 
Inadequate design choices have been used in the past 
fo exploit a system. In 1974 the Naval Research laboratory 
Sememrcted a penetration exercise on a Univac 11€6E syetem 
running under Exec VIII. The author of the resulting report 
[17] comments: 
However, even if an MLS (multilevel security system) is 
completely bueg-free, in the sense that itS response to 
mererereguests is completely specified by its design, this 
does not imply that the MLS will not permit dissemination 
of data to unauthorized users. Our penetration of Exec 
VIII is not based on bues in the implementation, though 
they certainly exist. Instead, we exploit several aspects 
of the Exec VIII deSign philosophy which, when taken 
together, make penetration possible. 


Details of this particular penetration exercise are outlined 


later in the chapter. 





The following is a brief discussion of how the 
Subverter might make seemingly sound desien choices and 
still subvert a systems design. 

a. Operating System Software 

(1) Password procedures. There are several ways 
to design password login procedures. Three viable choices 


that the subverter might propose are: 


1. encrypt the passwords with a seemingly non-invertable 
algorithm 

2. allow the user to choose nis own passwords 

Seeailow multiple login attempts for the ‘forgetful’ 


user. 


TRE ererst case was used on the Multacs 
system at the time of the USAF security evaluation [1&]. The 
designers of the system hoped that the algorithm they were 
using wasS non~-invertable, the evaluation demonstrated that 
imeewas not. 

In the second case, user chosen passwords 
are often easy to guess [12]. One such system allowed the 
user to choose his own password. The system administrators 
would enter a new user into the password file and as a 
convenience, wovld enter the users name as his password 
meeyl the users first session, at which time the user was 
Supposed to change the password to one of his own choosine. 


Due to a design choice, the password file was readable by 
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ali users. This in itSelf was not a cauSe for alarm, aS the 
password field is encrypted. But the first entry in the file 
is the user’s name in plain text. A malicious user, knowing 
the administrators procedure, attempted the login sequence 
using the names in the password file until tnere was a 
sucesSful login (preSumably from a new user). Subsequent 
investigations revealed that many of the users had not ever 
bothered to change their passwords. This also points out the 
problem of allowing too many login attempts. 

(2) Audit Procedures. Two deSign Suggestions 
that a subverter might recommend are: 

1. audit all actions that might be security related (the 

more the better), or 

eee audit only user mode actions. 

The subverter by recommending excessive auditing will, 
in effect, render the auditing process ineffective. Those 
that are tasked with the manual reviewing of eudit logs will 
be quickly buried by the sheer volume of it all. The 
Memtines Will quickly fall into disuse in the corner of some 
storeroom. 

Fy auditing only uSer actions the subverter 
is given free “license” to implant his artifices in master 
mode routines that are ‘trusted’. The subverter reed not 
worry about any actions carried out by artifices that exist 
in master mode routines because their actions will not be 


traced by any audit mechanism. If a trap door circumvents 
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control of the system by placing the subdverter in master 
mode then any subdSequent actions of the Subverter will not 
nS audited. 

(3) Confinement Channels. Sore areas of the 
computer system could be designed to pass information via a 
confinement channel. Should the subverter find himself 
working in one of these areas he would undoubtedly take 
advantage of the opportunity. The concept can te best 
illustrated using an example. 

Many operating system designs are process 
oriented. Hach time a new process is required by the system, 
“umergue identifier is assigned to this process so the 
System can keep track of all the different processes. There 
empears to be nothing significant about the process-id. 
Therefore it would seem irrelevant as to how this unique 
identifier is selected. Logically the easiest choice would 
seem to be to assign process~id numbers sequentially as they 
are needed. By making this design choice the sSutverter has 
Pomstructed a confinement channel. 

Assume there are two processes, “A and 
“BY, active in a system at the same time. Process “A” is a 
clandestine service routine (with a Trojan horse) that has 
access to sensitive information. Process “A” desires to 
communicate some of this sensitive information to process 
oe mpaepeis not authorized access to the information. They 


will communicate by uSing the procesS-id number as a binary 
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communication channel. Eecause process-~id mumbers are 
assigned sequentially, process ‘°B’ can deduce information 
from the id number based on the previous values. If °’A’ 
desires to send a binary “1°, “A” will create two new dummy 
processes (and immediately destroy them). This will increase 


¢ 


the Process~id number by two. If “A desires to send a 
binary “2°, it will create and destroy one process. 

On the receiving end, °“B” will create one 
process and save the id=number and then destroy the process. 
“BY will compare the new process-id with the one saved from 
its last active period and compare the two. If it is three 
greater than the previous process-id the information sent 
was a “1’, if it waS two greater it was a °O°. Because both 
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me and ~~ 


td 


are executing on the same machine, these 
activities are not occuring at the same exact time and they 
are synchronized (in a crude sense). Because there will te 
other processes in the syStem creating new process-id 
numbers, the channel will be “noisy”. But modern information 
theory can be applied to detect transmission errors and 
reliable results can be obtained [16]. 

(4) Backward compatible features. Manufacturers 
must insure that new product lines are backward compatible 
if they wish to upgrade old customers. The subverter can 
Capitalize on these design requirements by insuring that 
older system foibles are carried along to the new systems 


design. The IPM Systems Journal [19] offers an example: 
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Two VM/37¢@ features were discovered that permitted a total 
penetration, and others were discovered that could cause 
the system to fail. The first case concerned the 0S/36@ 
use of self modifying channel programs in its IS4M access 
method. To support this feature ina virtual machire, 
VM/372 had been modified to examine channel programs for 
the pattern associated with the use of self modifying code 
by OS/36@. the VM/37@ method of handling such channel 
prorrams was to execute some commands out of the users 
“virtual storage, that is, not in VM/372 virtual storage 
Space. AS a consequence, a penetrator, mimickirg the 
OS/36@ channel program, could modify the commands in his 
storage before they were executed by the channel, and, 
thereby, overwrite arbitrary portions of YM/370@. 
b. Other Software Design Choices 
Most computer systems are offered with a suit of 
Supportine software such as compilers, text editors, service 
routines, etc. These can provide the subverter opportunities 
to incorporate Trojan horses into the overall svsStem desien. 
Software that is supplied as part of a package c¢ceal is 
financially attractive to customers that would have to 
otherwise procure these items from other sources. Many times 
for efficiency or convienence, a Service like a compiler 
will have special privileges (like executing in master mode 
for some fuctions). Thus a trap door in this pregram is as 
effective as one in the operating system itself. 

Service routines that are designed for benign 
purposes can be used ty the Subverter to insert artifices. 
IBM/362 offered one such service [20]: 

The means Ton inserting a penetration 
mechanism into an existing program (either system or user) 


stored ona direct access device is provided ty one of the 
Operating System/362°s own Service Aid programs, IMASZAP. 
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This program is designed to modify data and instructions 
Beeacy fiven location on a direct access file, which is to 
say, one can modify information anywhere on a disk pack. 
Cc. Hardware Alternatives 
The selection of hardware for computer systems 
will also offer the subverter many opportunities to aid his 
cause. The subverter can concentrate on central processors, 
@emepneral E€quipments, or both. 

(1) Central Processors. The selection of central 
processors from the Subverter’s point of view is 
straightforward. The simpler the architecture the less 
eeeeory that will be required to subvert it. Optimally the 
Meer cnoice is an architecture with no hardware protection 
mechanisms. But this this choice is an impractical one for 
both the subverter aS well as the customer. There would be 
little chance that such an architecture would be considered 
for use in a syStem handling sensitive information, ard the 
subversion effort would be for naught. The subdverter must 
MommeewWithin at least minimum guidelines. 

For example, one set of minimal guidelines can 
be found in The ADP Security Manual [&]. This list of 
mechanisms is extensive. One would think that such a 
Bomplete list is sufficient to assure a secure System. 
Rowever, many of the penetrated systems in chapter two had 
these features and penetrators were very Successful in there 
Bueports. it is important to realize that having these 


features is not sufficient for a secure condition, it is how 
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Seeectively they are employed. It is the jot. or the 
subverter to ensure that they are not effective even if they 
are present. The following is from the ADP Security Manual 


{Ss}: 


4-2°@ Fardware Features. 


meeane exécution state of a processor sould include one or 
more variables, i.e., protection state variables, " which 
determine the interpretation of instructions executed by 
PDT OCESSOLT. cee ee 


Sime ability of a processor to access locations in 
memory (hereafter to include primary and auxiliary memory) 
should be controlled (e.g., in user mode, & memory access 
wontro] register might allow access only to memory 
locations allocated to the user by the O/S). 


meee Operation of certain instructions should depend on 
the protection state of the processor. Fer example, 
mescructions which perform input or output operations 
would execute only when in master mode. Any attempt to 
execute an instruction which is not authorized should 
Merit in a hardwere interrupt..... 


€. All possible operation codes, with all possible tags or 
modifiers, whether legal or not, should produce known 
responses by the computer. 


e. All registers should be capable of protecting their 
Bemcvents by error detection or redundancy checks...... 


Meany register which can be loaded by the operating 
System Should also be Storable, so as to permit the O/S to 
check its Curren ¢ contents against its presumed 
Mon tLentS.ce-. 


2. Error detection should be performed on each fetch cycle 
of an instruction and its operant (e.¢., parity check and 
address bounds check). 


h. Error detection (e.g., parity checks) and merory bounds 
checking should be performed on transfers of data tetween 
memory and storage devices or terminals. 


i. Automatic programmed interrupt should function to 
control system and operator malfunction. 
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J- The identity of remote terminals for Pa GC Raeoarc put 
Should be a feature of hardware in combination with the 
operating system. 


k. Read, write, and execute access rights of the user 
Should be verified on each fetch cycle of an instruction 
and its operant. 

These requirements as outlined in the 
security Manual are general enough So that viable arguments 
can be constructed to demonstrate most major vendor’s 
processors ‘acceptable’. A way in which the subverter could 
meet the letter of these requirements and still defeat the 
meovection mechanismS was demonstrated in the Multics 
Security Evaluation [12]. 

The vulnerability involved violation on 
requirement ‘“k” listed above (access on each fetch). The 
security Manual states that each instruction must produce 
known results (requirement ‘d’), but this vulnerability 
maorved a SSQUENCE of instructions. The Multics Security 
Evaluation [{1@] outines the method: 

Enis vulnerability occured when the 
meercute instruction was in certain restricted locations of 
a segment with at least read-execute (re) permission. (see 
figure 1) The execute instruction then referenced an 
object instruction in word zero of a Second Segment with 
at least R (read) permission. The object instruction 
indirected through an ITS pointer in the first segment to 
access a word for reading or writing in a third Segment. 
If all these conditions were met precisely, the access 
control fields in the SDW (segment descriptor word) of the 
third segment would be ignored and the object instruction 
permitted to complete without access checks. 

This particular hardware “bug” resulted from a field 


installed design change to the equipment that was installed 
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eats «the computing sites. A subverter Niven ta we wisi el yae 


such “features” in the initial hardware design. 
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Figure 1, Execute INSTRUCTION BYPASS 


(2) Peripherals. Generally, peripherals do not 
have the stringent requirements placed on their internal 
behavior like central processors. They are generally thought 
of as being under the control of the central processor and 
if the CPU is ‘contained’ (in a security sense) then the 
peripherals will follow. This concept is rapidly changing in 
todays technology. Many devices Such as direct memory access 
(DMA) I/O equipments are specialized processors in their own 


mrent. 


So 





Configuring a system so that ‘Specially 
modified” I/0 devices can intercept (or directly access) 
memeative information is totally within the realm of the 
subversive designer. Likewise, procvrement policies that are 
based on the lowest bidder can (and have been known to) 
result in a composite system that comes from a variety of 
manufacturers. A subversive cesigner can specify equipments 
to such a degree that only one vendor (the subverter) will 
te able to meet the specification. By specifying in this 
manner or by competitive pricing these “enhanced” equipments 


can find their way into a “secure” computer system. 


Pee implementation Phase 


In this phase of a computer systems life cycle, there 
meme two computer systems to consider. There is the computer 
system under development, and there is the computer system 
used for the development (i.e. the “host” computer). The 
subverter would first penetrate the host computer. Once this 
is accomplished, he would have access to the new software 
under development. This technique was demonstrated during 
the Multics evaluation [1@]. A trap door was inserted into a 
new version of the Multics software tnat was to be 
Mestributed to all Multics sites. 

The target, of course, would be the new software (or 


hardware) under development. It would be these new products 
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meemeewould be employed in the protection of information in 
the future. 

Inserting artifices during the implementation phase 
can offer as many advantages as inserting during design. In 
fact, there are additional advantages because inserting 
artifices during implementation of a system does not reauire 
tae sudverter to be on the vendors payroll. 

Often programmers can work from their homes on remote 
dialup terminals. fPecause these vendor developmert systems 
mmemenot nardened against wiretapping or other possible 
penetration techniques, the subverter can infiltrate as 
desired. Private corporations would tend to shy away from 
particularly restrictive security practices when there is no 
classified activities present. The Mul t1CS gree Ur tata: 
Evaluation [12] which was written in 1974 pointed out such 
an environment: 

eee it should be noted that the software for WWMCCS 
(World ‘Wide Military Command and Control Syster) is 


eurrentiv developed using uncleareéad personnel on a 
relatively open time sharing system at Honeywell’s plant 
at Fioeenix, Arizona. The software is monitored and 
distributed from an open time sharing system at the Joint 
Technical Support Agency (JTSA) at Reston, Virginia. Both 
of these sites are potentially vulnerable to penetration 
mad trap door insertion. 


Two areas of activity that might te subject to 
SubverSion in the implementation phase are, coding and 


testing, and hardware assembly and checkout. 
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a. Coding and Testing 
Coding and bes tne of system softwere is 
concerned with one major goal: that the programs perform at 
Meme tne required functions. Gas is a Minimel requirement, 
ieee MaXimal one. Testing criteria involves cnly insuring 
@ietea 2iven module performs the requireé tasks correctly. 
Mmieeeroes «€©6noOt )«€6hinvolve the concept of determining all the 
mmetrions that it might be able to perform. In general, this 
characteristic cannot be determired for a program since this 
reduces to the unsolvable safety protlem [4] discussed 
earlier. 
ieoemsubversive -ectivities are to be cerriedc ont 
by the actual programmers assigned to the project, tnere are 
Supeemweeenere!] practices that the subverter might follew. Cne 
such practice is using global or external attritutes for 
variables that might not otherwise require them. This can 
make data available to other covert routines that will be 
able to utilize them. This is common practice in operating 
eouem programming, particularly if the language used is 
assembler language. 
some languages, particularly higher level 
languages that ere constructed for operating system use, do 
not perform run time bounds checkine on data structures that 
meee subscripting or pointers. This is not done because the 
extra code required cannot be afforded in an operating 


meetem environment. Effective use of Such Structures can 
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allow clandestine routines access to GEeas that wowlcn © be 
Otherwise inaccessable. For instance, a routine that has a 
meapecoOr installed performs some processing on an array 
that is passed to it. The maximum expected size might be 19? 
elements. If there is no runtime subscript bounds checking, 
the routine could check the area just beyonce the 122th 
element for a unique bit pattern that would activate the 
trap door. Specific features such as hardware bounds 
checking mechanisms will not help much because there would 
Meeno violation of the jobs total address space. 
b. Hardware Assembly and Checkout 

The safest time to Canny out cubversion 
activities on hardware is during the assembly of the 
equipment. Insertion costs and detection risks would be low 
during this period. Equipment could be assembled with 
Specially enhanced integrated circuits that appear and 
function exactly like the normal circuits. This could be 
done by intercepting the suppliers shipment of parts to the 
assembly plant and replacing them with the subverted 
hardware. This way the subverter would te totally fTremoved 
from the insertion process. Entire product lines can be 
equiped with these hardware trap doors. If shipments could 
not be intercepted, or if the assembly plant was the 
manufacturing facility as well, other arrangements could be 
made. Assembly line personnel could replace the normal chips 


in the assembly line parts bins with the enhanced CDS . 


i 
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Plant security is typically oriented toward individuals 


taking products out of a plant, not bringing them into it. 
eemvistribution Phase 


The most significant advantage to insertine artifices 
in system components (hardware and software) during the 
distribution phase is that the subversion occurs after the 
review process iS completed. These components already carry 
the “seal of approval’ and will, in all probatility, not te 
subjected to close scrutiny again. 

Subversion activities carried Out” “dirt peewee 
distribution phase require significantly less investment in 
technical talent than than other phases of the life cycle. 
Activities involve the replacement or modification of valid 
equipments and software with Subverted copies. Personnel who 
might be involved are delivery truck drivers, mailmen, 
mMecerving or Shipping clerks. Most of these personnel can 
eeeeorm their aspect of the subversion anc not be aware of 
the “big picture”. Even if apvrehended and interrogated 
their knowledge of the extent of the operation would be 
minimal. 

Suppose that the Subversive organization 
legitimately purchased several terminals from a company. 
Upon receiving these terminals they are carefully unpacked 
so as to not damage the orginal shipping containers. 


Technicans could then modify the terminals with special 
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“enhancements” and insure that they perform as desired. The 
terminals are then carefully repacked so that nothing would 
appear disturbed. When the subverters received word that 
company KYZ had ordered some of these same terminals for a 
new multilevel security application, they could be replaced 
for the normal terminals. This way the sSubvertersS have a 
steady supply of terminals, WotDe Only. the) -inaateea): 
investment. 

There are various methods that could be employed to 
substitute the enhanced terminals for the normal ones. It 
might require the services of a slightiv dishonest truck 
driver or warehouse clerk. 

The important point is that the terminals would rot 
be suspected because they were not “stolen” in the classical 
sense of the term, just replaced with “enhanced” versions. 
The Shipping pepers could be changed to reflect the 
different numbers if serial numbers could not be changed. 

In other areas, the process might even te easier. 
Companys often put out advance notice of upcoming software 
revisions, or hardware field changes. Subverters could be 
alert to these things and be ready with enhanced revisions 
Smeraeid changes. On a software revision the subverter could 
conceivably intercept a software revision tape and modify 
(or replace it) witnin hours. The delay would be negligible. 

Another method that can be used is for the subverter 


to generate bogus software revisions or fielc changes to be 
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carried out by system maintenance personnel. These changes 
can be forwarded with forged stationary and customers would 


have no reason to suspect that the chenges are bogus [10]. 
4. Installation Phase 


The installation of any computer svstem is a rather 
Chaotic period. The subverter can capitalize on this chaos 
and use it to his advantage. 

There are several opportunities to install software 
artifices during the initial installation of a new syStem, 
Merpicularly a new operating system. Several bugs are bound 
to surface and the system may require numerous regenerations 
of code to test out all the changes required ty the 
Mmeeroring of the system to the particular installation. 

Pectems programmers will be uncertain atout the new 
Systems behavior patterns. In such an uncertain environment 
security personnel will naturally not allow sensitve 
information to be processed, and in fact might allow the 
system to be run under less control than would otherwise be 
present. It is doubtful that a malicious systems programmer 
would be scrutinized very closely and he could insert many 
trap doors into the new system. 

Many decisions are made during these initial break 
in periods concerning operational procedures that che 
subverter can offer his ‘advice’ on. Each installation is 


different and requires judgement calls on the particular 
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meeuation at hand. A highly technical subverter (such as the 
vendors representative) can prove SupriSsingly effective in 
Paes Kind of situation. 

An interesting method for inserting trap doors that 
can be implemented during the inStallation phase is 
suggested in the Multics Security Evaluation [16]. 

Here, the system initialization code is modified by the 
penetrator to insert other trap doors as the system is 
brought up. Such trap doors can be relatively invulnerable 


6 metection and recompil latawon , because system 


initialization is usually a very complex and poorly 
understood procedure. 


5. Production Phase 


Inserting artifices during the production phase of a 
systems life cycle may entail more risk than inserting 
during the other phases. All security measures will be in 
meee, due to the presence of sensitive information. Fut 
these risks are only high in comparision to inserting during 
the other life cycle phaSesS, and in an absolute Sense can be 
quite acceptable. Recall that the commom “computer criminal’ 
or penetrator works exclusively in Ce penetration 
environment and has had excellent results. Techniques used 
by the subverter to install artifices im the»seprceduction 
phase of a system are the same techniques used by the 
penetrator to generally exploit a system, i.¢-, system 


mobiles. 
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One could argue that it seems senseless to use an 
unintentional trap door (a foible) to install an intentional 
trap door (an artifice). But one must rememter that the 
Supverter is not cut for the ‘quick dollar’. Ee is a 
Mroressional that is in the business of gathering 
information over a long period of time. The subverter will 
certainly use any device at his disposal, but the 
Geliberate, well thought out, and tested artifice can insure 
PeeuitS over the lone haul, with a minimum of risk. The 
SGaatice will continue to work even if the orginal foibdle is 
found and corrected. 

It is instructive to examine how one might insert 
Clandestine code ina system when it is in an operational or 
production mode. The example choosen is the Univae 11@8 
penetration exercise. The success of the exercise was due to 
two design foibles [17]: 

1. Inadequate error recovery. For any given job the user 
had the ability to request the control of Clror 
recovery. In general an error routine in the Exec VIII 
operating system had access to the same addressing 
environment as the routine causing the error. Exec VIII 
did not stack error handling routine requests, but 
deleted the previous request. 

Ze wuprovected reentrant EOwieeis.. Shéareable 
non-executive reentrant routines in Exec VIII are called 


reentrant processors (REP). Examples of these are 
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compilers, text editors, data management subsystems, 
etc. fach REP must have an associated data area that is 
writable. Due to a hardware design oversight, write 
protection is provided for ROTF instruction and data 
banks or for neither. For the REP to be able to modify 
Mee associated data bank the code area must run 
mmorotected from modification. 

Due to Exec VIII core allocation policies, there was 
femedeey ad number of unused words at the end of the last core 
block allocated to the REP code area. The sequence of events 
was as follows [17]: 

1. A legitimate program called BREAEEP requests to 
handle itsS own error recovery. 

2. The BREAKER program prepared 4n out-of-bounds data 
bank for the victim REF and linked to it. 

oe BREAKER invoked the victim REP and the REP 
immediately caused a guard mode error while trying to 
access its data bank. 

4. Control was immediately returned to the EREAKER 
routine via the error handling request. BREAK@F then had 


write access to the victim REP. 
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DS. BREAKER checked the end of the victim REP to see if 
there were enough free words in the code block to insert 
a calling sequence to a clandestine routine. If there 
was, the entry point of the REP was changed to a jump to 
the beginning of the free area and a calling sequence 
was inserted in the free area. 
Using this method a Ssubverter could essentially build ae 
general purpose Trojan horse that could be used in various 
ways. Depending on the purpose of the clandestine prograr 
Invoked by the calling sequence, the subverter could: 
1. access information owned by any user who subsequently 
invokes the victim REP. 
Beeiustall] trap doors in programs owned by users of the 


mietim REP, such as the operating system. 


6. Summary 


The insertion phase is the most significant aspect of 
mmeme sutrversion process. The efforts that go into this phase 
yield “tools” that will give the subverter access to 
information almost as SiliS iy as the owner of the 
information. Whereas, the subverter has constructed a sound 


foundation from which to work, he has left the legitimate 


user one of sand. \ 
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C. EXERCISING ARTIFICES 


itematscussion up to this point has centered on the 

mover ver creating the subversion environment. Attention 
will now turn to how the subverter can use this Environment 
to exploit a computer system. There are several activities 
Meeoecan be carried out by the subdverter after he has 
activated the artifice [11]; 

mmo rtraction—-= the withdrawal or copying of data 

Pemalteration-~ changing or modification of data, 

programs or hardware, 
oO. addition---- adding extraneous data 


4, utilization=- using the System resouces malicously. 


All these activities are possible objectives of the 
Subverter. Before these activities are discussed it 1s 
Meetructive to first understand how the artifices that wili 
enable these activities are trigzered. 
1. Activating Artifices 
a. Software Activation 

(igmeerrojan Horses. Trojan horses are usually 
activated by the victim program . Although the mechanism is 
considered activated that does not imply that the Covert 
function of the Trojan horse will necessarily co anything 
malicious. Due the the possible wide usage tnat a Trojan 
horse can get, the subdverter may desire to limit the 


marormation that it gathers. 


at 





A UtExXt editor can be @nhanced to check the 
file name of those files it is employed to edit and based on 
a predetermined target the Trojan horse will respond 
accordingly. The target might be the system password file. 
When the editor senses this file it will copy the file toa 
meeempiace, otherwise it will lay dormant. A safe place is 
any area that is accessable to the subverter. This may be a 
file in the subverters own directory or a system buffer area 
that ts accessable via a clandestine routine. 

(2) Trap doors. Should the subdverter require 
Geese control over when an artifice is activated, it might 
Bequrre an agent to input the trigger via a terminel or by 
submission of a batch job. The activator need not be aware 
of what clandestine activities are in progress. ror 
instance, suvpose a trap door was inserted in a system 
during the implementation phase of the systems life cycle. 
The subdverter knew exactly what tasks needed to be performed 
but not when. Remember that the insertion may have taken 
place years prior to the time of its activation. Imagine the 
following scenario. 

Nea an tor ls hoe tee phoce ss 10 femlG Med taancameed 
room that contains a terminal. Like many installations the 
System runs 24 hours a day. The janitor has received 
instructions to turn on the terminal and type in a given 
Strine of characters. Fe then proceeds with his cleaning 


chores. At the end of a predetermined time the janitor 
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Switches off the terminal, and proceeds as though nothing 
had happened. The trap door was programmed to periodically 
Sheek the teletype buffer for the predetermined pattern, 
merrorm its clandestine function and then erase all traces 
of its actions. 

Another method of activation for trap doors 
is by timer. If a subverter is aware that some valuable 
information will be input into the system after a certain 
date, he can install a trap door that will periodically 
check the system clock for a certain date. Upor recognizing 
that the date has occurred the trap door will copy the 
information to a safe area for later retrieval. Variations 
Goeeoais theme have been informally reported within the 
Department of Defense. These artifices were implanted by 
disgruntled employees. The results of these implantations 
can be disasterous. [t could mean the voiding of thousands 
of dollars worth of software because there is no way to find 
the malicious code and the risk could too great. If such a 
mechanism was installed in something like automated process 
control software, thousands of dollars worth of damage covld 
result. 

®. Fardware Activation 
Methods for activating hardware artifices will 
vary with the Sophistication of the mechanism. The following 


are a few examples: 
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1. An enhanced chip that is part of a teletype terminal 
is activated by the systems login sequence. Upon 
recognizing the sequence, the chip will store the users 
name and password in the chips own memory arée. 

2. An “intelligent” chip such as a Special purpose 
microprocessor that can be microprogrammed ty the data 
stream that follows the trigger. This mechanism could 
Reside a) per pae ral equipment and te used to 
selectively copy data to other storage cevices on 
command. 

3. A central processor that has been “modifiec’ to 
disable memory checking mechanisms or place the 
processor in master mode when a4 special sequence of 
unused opcodes is executed. The opcodes when executed in 
any other order will have no effect on the processor. 
There would be another special sequence of code that 


would restore the processor to normal operation. 
2. Techniques of Exploitation 


After the artifices have been activated there are 
several activities in which the subverter can @€ngage. Below 
is a brief discussion of Some of the possibilites. 

a. Breaking Out of a Subsystem 
As pointed out earlier, subSyStems are built 
Around an underlying operating system. This sutsystem will 


use the primitive operations of the operating system to 
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Meeeruet the restricted Environment that the user will see. 
To the overating system (and the sutverter) the subsystem is 
nothing more than another program running concurrently on 
mae system. 

Assume a subsystem is designed to restrict the 
user to performing Simple calcudlator functions. That is, 
the user can type simple mathematical expressions at the 
terminal and the anSwer will be typed in reply. Any input 
otner than a valid expression will result in the subsyster 
replying with the mesSage “invalid expression, try again’. 
shis is clearly a restricted environment. The user does not 
have the ability to execute programs, or use any of the 
other sevices offered unrestricted users. 

Fut if tne underlying operating system had been 
eeeected to sutversion, the subsystem could be easily 
bypassed by the user. The method that can be used is similar 
meee trap door used by the janitor. 

The user activates the trap door by typing in 
the trigser sequence. The trap door is periodically Scanning 
the teletype buffer area for the trigger sequence. When the 
Sequence is recognized by the trap door the terminal is 
removed from the subsystem environment and given whatever 
control the subverter that inserted the clandestine code 


desires. 
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Lae comremetnation Case 
During the time that this research was being 
carried out, one of the schools computer sSyStems was 
subjected to “attack” by a malicious individual. The system 
in question was a PDP-11/5@ running under the UNIX operating 
system. This case is a simple erample of breaking out of a 
subsystem. 

The subsystem under consideration was the 
“games” monitor. This system has several games programs that 
came with the system or were written by students as class 
projects. The subsyStem is “constructed” by having users (no 
password required) that log in under the games user-id 
restricted to executing only those oprograms and commands 
Mme reside in the games directory. The games option is only 
enabled during ‘off procesSing periods when the system use 
is low. The malicious user was familar enough with the 
System to know tne dialup terminal phone number. It was 
Apparent that he was familar with the UNIX svstem, tecause 
he wrote a program (the trap door) and inserted it into the 
games directory. 

The program was called °2X° and it was a ‘°C’ 
language program that executed one command laneuage (called 
“shell’) statement. Since this program was in the games 
directory, the monitor environment did not prevent the 
execution of the command language statement. This trap door 


Beave the individual all the privileges of an unrestricted 
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(non-super) user. Ke could (and did) read the password file 
mereenames of legitimate users. He found some users that had 
the same password as their name (this example wasS mentioned 
earlier). He was later discovered logged in under some of 
the legitimate users names, or would respond with one of 
these names when queried online. 

Dialup capabilities were eventually restricted 
Memmecmemonitor tO specially authorized personnel, and the 
mysterious “attacker” did not make his presence known again. 
Several procedural errors where identified in the course of 
the “investigation” and have since been corrected. Among 
these were the password assignment procedures (mentioned 
earlier) were no longer initialized as the users mare, and 
the restriction of the dialup capatilities. This ‘attacker’ 
did not appear to be malevolent in his actions. Fe seemed as 
though he was looking for a little “free” computer time. Fut 
there is no way to determine this for sure, nor is there a 
way to determine what other artifices might still be present 
in the system. 

c. Usine Emitters 

Computer systems are electromagnetic emitters 
like any other piece of electrical equipvment. Information 
can be gathered vy monitoring these emanations. 
Communication lines and cathode ray tubes are particularly 
vulnerable to these techniques [11]. Security personnel are 


generally aware of this problem [S]. Computer sites can be 
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measured for the amount of emanations present. If they are 
Sertracienctly low, a site could be certified as satisfactory 
in this area. Fowever, if there were covert transceivers 
imbedded m1 the equipments at the factory this 
“certification” could prove useless. A transceiver that is 
monitoring a data tus could sense a data stream trigger. 
Upon activation the transceiver would begin to broadcast the 
activity on the data bus at a higher power level than would 
be normally present. Since the transceiver was not active 
during the ‘certification’ its presence would not be 
detected. A similar sequence could act as the deactivation 
Key to stop the transceiver from troadcasting. AS one can 
see this is nothing more than a specialized hardware trap 
door. 
ieeremory residue 

In a resource shared system the allocation of 
mary could résult in the exposure of sensitive information 
to unauthorized users. Unless specific actions are taken dy 
the operating system or the previous user, memcry assigned 
to a néw user program will contain whatever was last placed 
oe it. 

The ADP Security Manual [8] addresses the 
problem: 

MitewsO/7: shall ensure that classified material or critical 


elements of the system do not remain as accessatle residue 
in memory or on on-line storage devices. 








This means that the operating system must clear core tefore 
it is assigned to a program. This mechanism, if subverted, 
could be designed to “turn off” by command. 

This could prove valuable to the sutverter who 
has agents that are legitimate users of a syStem. AS a 
matter of standard procedure the agents could perform the 
following actions whenever they are processing jobs: 

1. program begins execution and immediately turns off 
the clear core mechanism by activating an artifice. 
Eeeeprogram waits for scufficient residue to build up in 
ie free core area, and requests additional core for the 
mext processing step. 

5. upon receiving the additional core the program dumps 
mee contents of the core to a file in his directory for 
merer review. 

4. program turns residue mechanism back on and completes 
legitimate tasks. 

Another problem with memory reside arises when a 
computer is involved in what is commonly called “periods 
processing”. A periods processing environment is one that 
uses the same computer to process information of different 
Geemrity levels, but at different times. 

nt ber = cacweeproecessine period ir one mode, 
special procedures are carried out to insure that all traces 
of information are removed from the system. This is known as 


“color changing’. This includes removing all tapes, cards, 
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Meeememouts, rivbons, etc., from the system. The next shift 
would brine all the necesSary equipment with ther to do the 
same. One of these procedures is, of course, clearing core. 
The program used te “clear” ccre could be one that writes 
mameonm patterns into core. This could be be repeated several 
times to ensure a good “brainwashing”. Assuming the color 
change was from classified to unclassified, it would be 
possible to obtain information from the previous processing 
period. If the program that cleared core did not write 
random patterns into core, but hese encrypted the 
information, it would be undectable by the operator. A 
Clandestine process, that runs in the unclassified period 
could core Cumpeeethe tur Orrmation to files for later 
meeryption. 
e. Using Confinement Channels 

Confinement channels have traditionally been 
thought of as a slow means of extracting information. Fut in 
an environment where particular care has been taken to 
defend against subversion, this method may be the only way 
of gaining information. Channels on the order of a bit per 
second have been demonstrated and channels that can pass on 
the order of tens of bitS per second have been hypothesized 
[22]. The following are a few examples of what form these 
channels mieht take: 


1. If the system has interlocks which prevent files from 
being opened for writing and reading at the same time, the 


&6 





the service can leak data if it is merely allowed to read 
files that have been written by its owner. The interlocks 
allow a file to simulate a shared boolean varitle which 
one program can Set and the other can test[16]. 


Peery Varying its ratio of computing to input/output or 
its paging rate, the service can transmit imformation 
which a concurrently running process can receive by 
mserving the performance of the system. The communication 
Channel thus establisned is a noisy one, but the 
techniques of information theory can be used to devise an 
encoding which will allow the information to get throvgh 
reliably no matter how small the effects of the service on 
system performance are, provided they are not zero. The 
data rate of this channel may be vary low, of course [i6]. 


3. An exploitable path for information flow can be created 
between @n uncleared individual accessing the system 
during one processing period and the classified 
information processed by the system during another 
Meoecessing period if, over time, the same software is 
employed in both processing periods. Such a ‘covert 
leakage path’ can effectively negate the necessary 
complete isolation btetween processing periods...[23]. 

Case 1 is very similar to the process-id binary 
channel discussed earlier. But in this case the binery 
Channel is the interlock. The owner (subverter) knows the 
service program (which has access to the sensitive data} is 
sending a binary “1° if the service opens the given file for 
reading. This is because he would be prevented from writing 
into the file by the interlock. He would be receiving a “O° 
if he was permitted te write the file. 

Case 2 ic similar to the example that measured 
the runtime Secmmvnorran., ye tats Cas® low System 
performance means a “@” and higher system performance a “1° 


Case 3 is an example of passing information 


tetween processing periods. Assume that the machine in 


87 





question is one that supports memory paging. Also assume 
meat the programs in question are reentrant routines. This 
means that they would not get swapped out during a page 
fault, just overwritten. Should the program be able to 
@eemecute in the master mode, it sould write sensitive 
information into unused portions of the code block (like tne 
UNIVAC 11€8 example). Since the code block was modified the 
page swapping routine would swap it out vice overwriting it. 
Beem tne next unclassified processing period starts, the 
subverter merely reads the data from the code tlock of the 


program. 


f. Affecting System Performance 
Not all subversion activities would be concerned 
meee Sathering information. For some computer systems the 
subverter may only be interested in rendering these systems 
meerfective at key times. Tactical or strategic systems are 
examples of where this might be desirable. 

A systems design or implementation could be 
subverted so that its performance may suffer during critical 
mmermations. It is often difficult to test such systems under 
critical real world conditions. These systems could meet 
performance specifications under simulated situations but 
meove ineffective in a real world situation. 

Triggering of artifices in these systems can be 


by external events. Suppose there is a command and control 
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system that keeps track of potentially hestile ships. A trap 
door entered during the implementation phase of this 
perticular system is designed to activate whenever it 
detects that a certain ship was reported at a certair 
Boecron. When the opposing side decides to start hostile 
Operations, it could sent the designated ship out to the 
predetermined position before the Start of hostilities. The 
Ship could remain at that position long enough to insure 
that the intelligence system had time to enter the ship into 
the system. When the trap door recognized the activation key 
(ship identification and position) it could cause the system 
to eradually degrade in performance Waste Jat was 
ineffective. The ship would have, in effect, “sunk’ the 
command and control system from thousandS of mileS away. 
Examples of what an artifice could cause to happen to this 
kind of system are: | 

1. cause the system to crash at random intervals, 

2. Slow down the system performance by randomly clearing 

core page usage data, thus causing the System to Swap 

pages in and out of core excessively (thrashing), 

oO. randomly ignore or lock out the command console. 
Activity such as this would render the system unreliable and 
create an unwillingness to use it. Furthermore, systems 
maintenance personnel would make the system unavailable for 


many long hours while looking for a bug that may never be 
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Mound. Since it was installed during the implementation 


phase it would exist in all copies of the system code. 


D. Retrieving Information 


Once information has been accessed by the methods 
outlined previously, the problem of Tremoving the irformation 
from the confines of the Security perimeter still remain. As 
one might expect, the difficulty of the retrieving process 
is directly related to the “Strength” of tke security 
merprme ter. In a relatively open system retrieval might be as 
easy as walking out the front door with listings under one’s 
amin a more réstrictive Environment other methods can te 
devised. In a multilevel security mode, the unclassified 
fis Trequentliv not scrutinized; in fact, he might by 
using a dialup terminal several miles from the computer 
mectallation. 

This discussion will assume that the exercising phase of 
subversion has placed the desired information ina “safe” 


place (i.e., any area that is accessable to the subverter’. 
1. Retrieving Files 


Mmeaevneminvernal protection mechanisms were used to 
enforce the security perimeter (as in a multilevel security 
System) then the sSubverter may have a Simple job of 


retrieving the information. Since the security controls were 
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circumvented in obtaining the information, the security 
perimeter has been breached and retrieval may only involve 
oumping the information out in some transportable form. 
However, if this is not the case the information may be 
reviewed by someone before it is allowed to cross the 
security perimeter. In this case the information must be 
desguised or perhaps even encrypted. 

Information can be hidden in the header pages or 
SyStem jod statistics areas of batch job printouts. These 
are often ignored areas of a listing. These areas could 
offer low bandwidth channels for the information. 

Encrypting information into statistical tatles or 
core dumps Can Significantly increase the volume of 
mmeormavioOn that can be channeled through the security 


perimeter. 
2. Fetrievine with Fardware devices 


Hardware transmitters can be used to pass informtion 
beyond the security perimeter. These devices can offer 
channels of very high bandwidth. A high speed printer that 
had a transmitter imbedded into it during the installation 
phase is an example. Again the activation key could be @ 
sequence of characters in the data stream that turrs on the 
mpanmsmitter and a similar sequence to turn it off. 

An interesting method that could be used fora low 


Mamawidth channel is the front panel of the computer 
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console. Some installations have big glass windows that 
define an external security perimeter. A sSubverter could 
submit an unclassified job to a system that could serve to 
activate a trap door. The subverter only need watch the 
Meeeester lights for the infogmation to be flashed to him. 
Naturally the normal register lights would be flashing to 
meameoys fOr the subverter to understand them. However the 
Samety light for the registers could be control in such a4 
manner that they covld send Morse code to the subverter. By 
having a program that repeatedly enters even parity or odd 
parity values in to a register an information channel could 
establishec. Furthermore, the flashing could be recorded 


Gmomorraphically or using vidio tape. 


BE. CHAPTER SUMMARY 


Bors CNeapter has outlined the methodologies of computer 
subversion. This subversion may involve the organized 
efforts of many individuals whose talents could range from a 
computer scientist to an unskilled latorer. Sutversion is a 
three step process involving the insertion of artifices into 
computer system components, exercising them, and retrieving 
the resultant information. The insertion process could be 
carried out over the entire life cycle of a computer system, 
from the beginnings of its design through to, and includine, 


m@emtne production phase. Once installed these artifices can 
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Memusced tO circumvent normal internal controls cf the 
computer system for the purpose of accesSing unauthorized 
information. Once unauthorized access is obtained, the 
subverter need only disguise this information into a form 
mietewill circumvent any external controls that may exist, 
thus effecting its retrieval. 

Beoversion is clearly a threat to the security of any 
information that relies on a computer system to protect it. 


In memenext Chapter WayS of minimizing the risk of 


subversion are investigated. 
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Joti AtNGe THE RISK OF SUBVERSION 


Theoretically, there are three ways in which Subversion 
femeepe minimized, and they ré€late directly to the three 
phases of subversion: 

1. Prevent the the insertion of all mechanisms that can 

be utilized to defeat internal scurity controls, or 

2. Prevent the malicious user from exercising these 

mechanisms, or 

S. Prevent the retrieval of any information gained via 

exercising techniques. 

Any one of the three methods mentioned above could 
prevent subverSiorn. Fach method will be briefly discussed as 
to its merits in helping to minimize the threat of 


Subversion. 


A. RESTRICTING INSERTION OPPORTUNITIES 


Preventing the subverter from inserting artifices may not 
memarsimplie task, but it is essential to the ultimate 
solution to the problem of subversion. It has been 
demonstrated how subversion can occur over the entire life 
cycle of a computer system. To prevent the insertion of 
artifices implies that the subverter must be prevented the 


Mmportiunity to access system components at any point durine 
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this life cycle. Clearly, system components that affect the 


security of the system must be afforded lifetime protection. 
1. Lifetime Protection 


For lifetime protection to be effective it rust 

involve such measures as: 

1. Appropriate security clearances for any personnel 

involved in the various stages of the computer svstems 

life cycle [2]. 

De Sufficient “hardening” of manufacturing and 

development orogramming sites to prevent subversion by 

external forces [2]. 

5. Proper protection of all system components from 

access by malicious elements for the entire systers life 

eycle. 
Without the above measures, proper assurances would not 
exist concerning the safe history of syStem components. That 
7S, wnether or not malicious elements have had the 
Opportunity to subvert the components. The only appropriate 
course of action would be to not allow these components to 
Participate in the protection of information. This is 
because the very nature of subversion is covert, and if 
meuld be virtually impossible to detect if it had occured in 


a system after the fact. If any period during the lifetime 


aa 





of a computer system has a lapse in protection it must be 
similarly assumed that these components are unreliable from 


that point forward. 
mee ppropriate Protection Policies 


The above measures should be viewed in the proper 
perspective. What is meant by ‘sufficient hardening’ of 
development sites, or “proper protection” of system 
components? 

Just because a computer system will be involved in 
the protection of classified information does not mean that 
the system components are themselves inherently classified. 
ine would therefore not be appropriate (even 
Ccounterproductive) to demand that these system components be 
protected in the same way as classified materials. For 
instance there would not be any reason to prevent copies of 
programs from being seen. The central issue is not the 
content of the programs, but restricting access (for 
modification) to the particvlar copies of those programs 
that will be used to enforce protection in the system. 

A more appropriate protection policy is needed. In 
essence this policy should outline a strategy of “look, but 
do not touch’. For instance, in the area of development or 
manufacturing sites, hardening does not have to be concerned 


with emanations where the is no sensitive information 
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contained in the operating system code or hardware equipment 
meeeetnisS point in the life cycle. 

Similarly, the proper protection of system 
components WOljdemdwetate © that they be protected fror 
malicious elements having access. Previous chapters have 
Outlined in detail that there are many ways that a subverter 
can access system components. Therefore, countermeasures to 
these access routes must be devised. But restricted access 
neec only apply to those particular programs and equipments 
actually involved in the protection of information. Copies 
of the programs could conceivably be made available to 
anyone. However, those particular components (programs or 
hardware) that will actually te used in the protection of 
information need to be clearly distinguished and protected. 
Specifically, those particular components involved in the 
protection of information should be labeled and protected 
from access at the Same level as the information they are 
empected to protect. 

One of the basic principals of subversion irvolves 
the introduction of clandestine mechanisms into security 
related system components. However current DOD security 
program regulations and directives [7,8,24] are primarily 
concerned with the REMOVAL of sensitive materials from a 
secure environment. These directives must be changed to 
ensure that security not be compromised by the INTRODUCTION 


of materials as well. 
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EB. RESTRICTING EXERCISING OPPORTUNITIES 


To prevent the exercising of mechanisms that could defeat 
internal svstem controls, one could: 

1. Find and eliminate all such mechanisms, or 

2. Somehow guarantee that they could not be employed. 
Roth these “solutions” when applied to current operating 
systems are, in any practical sense, infeasible. 

Both these “solutions” assume that such mechanisms can 
Semeercentiried in the first place. To do do this would 
recuire a means of determining that every program executed 
on amachine is “safe”. But chapter II brought out the fact 
that there is no general solution to the safety problem [4]. 
meeemole example of this 1s a Trojan horse. As previously 
indicated, the user willingly invokes a malicious program 
and, in doing so, gives it “permission” to perform its 
covert functions. Not only will most computer systems not 
Brevent the employment of such a program, iat will 
unknowingly aid in its endeavors. 

Finally, one must consider the syStem foible (deSign and 
implementation errors). Recall that these are mechanisms 
that can also be of use to the subverter. To presume that 
all such foibles are identified and eliminated is to imply 
that the perfect design was flawlessly implemented. This is 
a highly unlikely prospect. Chapter II offered ample 


testimony to the fact that current technology is a long way 
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from the perfect implementation of something the size of a 
modern operating system. If ‘’accidents” such as system 
foibles cLometrcumtnmrOo find, then the deliterately 
obscured artifice would be virtually impossible to detect. 
Beevempting to prevent the exercising of artifices is a 


futile approach. 


C. RESTRICTING THE RETRIEVAL OF INFORMATION 


Restricting the retrieval of information must presently 
be considered the last defense against SubverSion. This is 
obvious because, as pointed out earlier: 

i NO assurances exist as to the absence of past 

empyeETSIVEe activities on system components, therefore 

Subversion of the components must be assumed. 

2. There exists no general method that can prevent the 

exercising of clandestine mechanisms in @ computer 

system. 

Ultimately, preventing the retrieval of wunevthorized 
information from a system will lie with the effectiveness of 
the security perimeter. If the Subverter can cross this 
defensive barrier then he has, in effect, retrieved the 
information. One must clearly delineate where this perimeter 
lies. Unless it is clearly delineated, one cannot determine 
the effectiveness of those mechanisms designated to enforce 


ot. 
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1. Delineating the Internal Security Perimeter 


When the security perimeter of a computer system is 
enforced by strictly external means, the system is said to 
be operating in the dedicated security mode [21,22]. The 
security perimeter is clearly defined as those physical 
measures (such as guards, etc.) required to insure that no 
unauthorized information will leave the boundries of the 
perimeter. All users, equipment, and information reside 
within this perimeter. The effectiveness of this kind of 
security perimeter is easily determined as it is based on 
established practices that are not unique to computer 
security. The dedicated mode of operation is the result of 
the need to restrict retrieval of information. This is 
certainly a sound techniave but it does not solve the 
Classical computer security problem. That is, the need to 
reliablv share information of varving degrees of sensitivity 
among users of varying degrees of trustworthiness. 

Mime case sor the computer thet is used in the 
multilevel security (MLS) mode, the security perimeter is 
less clear. In this mode of operation the security perimeter 
is enforced by the internal protection mechanisms of the 
computer system. This is because personnel that are not 
cleared for the highest level of information contained 
within the system are allowed some fcrm of access to the 
System. The only barrier between the uncleared user and the 
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mmommation that he is not authorized to access is the 
internal protection mechanisms of the computer system. 
Therefore it is imperative that this internal barrier (i.e., 
security perimeter) be well defined within the system. 

iMeminit  CWmLEveawiti COMLEMDOrdry computer systems 
is that control of these internal protection mechanisms is 
distributed throughout the entire operating system. There is 
no clear distinction as to which parts of the system enforce 
the security perimeter and which do not. As a result of this 
vagueness, any attempt to evaluate the effectiveness of a 
computer syStem to enforce a security perimeter is doomed to 
Meemeda—-noc approaches such as those outlined in Chapter Il. 
And these are notoriously ineffective. 

So called “trusted” subsystems compound the problem 
by attemptirg to V‘establish” a security perimeter with a 
Special program. But ultimately a subsyStem will uSe_ the 
very same protection mechanism that the underlying operating 
System uses. [t should be clear by now, that in the face of 
subversion the subsystem is not the least bit more secure 
than the underlying operating system and other security 
related components that it embraces. 

Pteis clearly essential that any internal protection 
mechanism be defined in such a way that it’s effectiveness 
can be demonstrated. One such mechanism is the Security 


Kernel. Schell [6] states: 
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The chief distinguishing characteristic (from whence its 
name) of the security kernel concept is that a kernel 
represents a distinct internal Security perimeter. In 
Memercultar, that portion of the system responsible for 
maintaining internal security is reduced from essentially 
the entire computer to principally the kernel. 

It is instructive to see how this mechanism could be used to 

prevent the subverter from retrieving unauthorized 


information. 
2. Security Kernel Concept 


In a syStem that iS baSed on a Security kernel, 
mmerectizon is realized within the computer system by the 
verifiable implementation of a mathematical model of 
information security. This model is basSed on an abstract 
representation of security called the reference monitor [5]. 
The reference monitor describes a mechanism for controlling 
the access privileges within the system (see references 
nS | for further details on the monitor). The 
implementation of this mechanism is the security kernel. 

The security kernel is designed to be a verifiable 
subset of security related operating svstem functions. These 
functions form an interface (i.e., a security perimeter) 
meween the user dnd the information. If the security kernel 
is implemented correctly, its use will guarantee that the 


information in the system will be protected in accordance 
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foeeenne Security policy that 1S outlined in the security 
model. Essential design requirements of the security kernel 
are: 

1. It must be tamper proof. 

2. It rust always be invoked. 

3S. It must be small enough to be subject to analysis and 

tests, the completeness of which can be assured. 

The Multics Security Evaluation [1¢@] points out how 
comtemporary systems have been unable to meet these 
Gmrteria: 

The stated design goals of contemporary systems such as 
GCOS or OS/36@ are to meet the first reauirement (albeit 
unsuccessfully). The second requirement is eenerally not 
met by contemporary systems since they usually include 
“bypasses” to permit Special software to operate or must 
Suspenc the reference monitor to provide addressability 
for the operating system in exercising its service 
functions. The best known of these is the bypass in 0S/36¢@ 
for the IBM supplied service aid, IMASPZA> (SUPFEZAP). 
Finally and most important, current operating systems are 
sO large, sO complex, and so monolithic that one cannot 
mone to attempt a formal proof of certification of their 
correct implementation. 

Two baSic precepts that are enforced in the Security 
kernel ares: 

1. The simple security condition- This means that a user 
or his program is not allowed access to information for 
which he has no authorization. 

2. Confinement property- if a user or his program has 


read access to information at one security level, say 


secret, then he cannot have simultaneous write access to 
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a file that exists at a lower security level (i.e., 
unclassified). This prevents what is called a ’write 
down’. 
These eele DReCcepUSwanGsotwer Supporting strict rules of 
the security kernel are the basis by which the Subverter is 
peewenmved from retrieving unauthorized information. 

In the case of the Trojan horse, the simple security 
Somoemtion and the confinement property can render such a 
Clandestine mechanism useless. The basic concept behind a 
Trojan horse presumes that it will be allowed into an 
environment that contains sensitive information. Once in 
this environment the covert function attempts to obtain 
sensitive information and place (write) it in area that will 
be accessible toa subdverter. The security kernel, through 
the confinement property, will not permit a ‘write down’. 
That is, rt will prevent the covert function from 
“declassifying” the information by not allowing it to be 
copied to anywhere but another classified file. Assuming the 
Subverter iS an unclassified user, the Simple security 
Remeron will prevent him from accessing any files gained 
through this method because he will not have the proper 


clearance to to read the file provided by the Trojan horse. 
D. CHAPTER SUMMARY 


Security kernel technology directly addresses the 


problem of minimizing subversion. It offers a basic design 
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Poa can be proven effective. Through this verifiable 
Meee ction mechanism a distinct internal security perimeter 
can be relied on to prevent the retrieval of unauthorized 
information by malicious elements. 

But security kernel technology is not immune to to the 
Subversive techniques outlined in this thesis. In fact, it 
might be more susceptible to subversion due to the high 
probability that such a system will te used in sensitive 
areas. Lifetime protection is esSential tO any mechanis@r 
that will be employed in the protection of information. 

The security kernel clearly defines the Security related 
mechanism of a computer system. Because of this it is the 
only part of a computer operating system that need be 
@eeerea lifetime protection. Providing orotection for the 
security ‘kernel is a far more practical an idea than 
requiring the lifetime vrotection of an entire overating 
system and numerous privileged utilities. Its small size and 
Clear toundaries offer a secure foundation from which to 
build any operating system. 3ut without lifetime protection 
from malicious access, there would be no assurances as to 
maeeinteerity of componénts involved in the protection of 


information and subversion must be assumed. 
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VI. CONCLUSIONS AND RECOMMENDATIONS 


This thesis offers ae detailed examination of an aspect 
of the computer security problem Known as Subversion. It is 
not the purpose of this document to provide a handbook of 
Subversion for Subverterss they do not need one! This thesis 
does offer awareness to those who must deal with the 
computer security problem. People like AD? administrators, 
ADP security cfficers, system designers, and others involved 
in the decision making process must understand subversion if 
meeeeare to effectively combat it. It is difficult to make 
intelligent decisions pone ceans Pie Security Of infdOrmation 
in computer svstems unless one understands the possible 
pemeeent Of the vulnerabilities that could exist in ther. 

mreerirst part of this thesis identified several problem 
areas in computer security. One of these areas involve a 
lack of a coherent policy concerning the exact role that 
Computers should play in the protection of information. This 
in turn has led to a reliance on inadequate internal 
mechanisms, and false assurances as to their effectiveness. 
All these problem areas play a role in the success of 
emp VvVeTsion. 

Irportant distinctions have been made between the 
@erent conception of computer penetration and that of 


Subversion. The penetrator is basically an amateur that 
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exploits system design and implementation errors to gain 
control of a system. Subversion on the other hand involves 
the organized efforts of several individuals, some of whom 
are highly competent at the subversion process. The 
subversion process involves the use of Clandestine 
mechanisms called artifices. Principal among these artifices 
waemeetrap Coors and trojan horses. By constructing end 
inserting these mechanisms into computer Systems the 
subverter creates a safe environment which can be used to 
exploit a computer system at will. 

The three phases of Subversion are the inserting of 
Mmemerces, the exercising of them, and the retrieval of the 
resultant unauthorized information. Central to the there of 
Subversion is the insertion of artifices over the entire 
lifecycle of a cOmputer System. ThiS can be done because 
computer system components that would be involved in the 
protection of informetion do not receive adequate protection 
against subverSive activities durine their lifetime. 

Subversion is a clear threat to the security of any 
computer system involved in the protection of information. 
This threat must be minimized before computer svstems can be 
relied on to adequately protect information. Until such a 
time, no computer system should be used as a means to 
protect information. So-called “trusted” subsystems are no 
emeception. They suffer from the same risk of subversion as 


any other system. The problem of “trusted” subSyStems is 
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compounded by the fact that thev are built on an underlvineg 
operating system that is essentially unsecureable. These 
systems must be considered particularly dangerous to use 
because they lull the user into a false sense of security. 

Minemiging the threat of sutverSion is a twofold 
process. eens ti, adequate lifetime protection rust be 
peetorded to al] security related components that will be 
Mmamorved in the protection cf information. The integrity of 
security related components cannot te assured without this 
protection. 

second, the application of adequate technology as 
exemplified by the security kernel concept must te 
incorporated in the design of secure systems. Withcut this 
verifiable design, the effectiveness of the protection 
mechanism cannot be reliably determined. Unless tnese 
essential requirements are met, there will te no such tnine 


as a secure computing system. 
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